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“Abstract | 
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1. Introduction 


1.1 Motivation 


In the development of our understanding of complex phenomena, the most powerful 
tool available to enhance our comprehension ‘is ‘abstraction. Abstraction arises from the 
recognition of similarities between certain objects or prodeises, and the decision to concentrate 
on these correspondences and to ignore, for the present, their differences {Hoare 720). In 
focusing on similarities, one tends to regard them as fondartental-and ‘intrinsic, and: to view 
the differences as trivial. | | 

One of the earliest recognized and most useful aids ta abstraction ir programming ts 
the self-contained subroutine or procedure. Procedures ‘appeared as early as 1945 in Zuse’s 
programming language, Plancatculus [Knuth 781.” Besides, earty developers of programming | 
- languages recognized the utility of the Sricdot ofa procedure. Curry, in 1980, described the 
advantages of including procedures in the programming ‘anguiiges being developed at that 
time by pointing out that the decomposition mechanism provided ‘by a procedure would atlow 
keener insight into a problem by ermitting consideration of ‘its separate, distinct parts | 
(Curry 50). | | . 

The existence of procedures goes quite’ far ‘toward caiptiting the meaning of 
abstraction [Liskov and Zilles 74]. At the point of its invocation, a procedure may be treated 
as a “black box”, that performs a specific function by means of an unprescribed algorithm. 
Thus, at the level of ‘its invocation, a procedure separates the relevant detail of what it 
accomplishes from the irrelevant detail of how it is implemented. Furthermore, at the tevel 


of its implementation, a procedure facilitates understanding of how it accomptishes its task 
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by freeing the programmer from considering why it is invoked. 

However, procedures alone do not provide a sufficiently rich vocabulary of 
abstractions [Liskov and Zilles 75). Procedures, while well suited to the description of 
abstract processes or events, do nat accommodate the description af abatract ob jects. To 
alleviate this problem, the concept of a data abstraction was introduced. This comprises a. 
group of related functions or operations which act upon. a.perticular class of objects with the. 
constraint that ob jects in this class can. only be observed or modified by the application of its 
related operations [Liskov and. Zilles 75). 

A typical a ad of a data abstraction is an integer push dewn stock. Here, the 
class of objects consists of all possible stacks and the cotlectign. of related Operations includes 
the usual stack operations, like push and pop, an operation to. cprate new stacks, and an 
operation, fof, to return the integer on top-of the stack, a 

The 2 of apeauons asad wih dat abazaion wit In general, nclde | 
operations to create objects of the. data abstraction, eperations to modify objects of the data. 
_ abstraction and operations to obtain information about the structuce or gontents of objects of 
the data abstraction. The first two categories of operations, which. inchide push and pop, are 
the constructors of the data abacaciian. Operations in the fast category are inguiry 
operations as they provide information about the data abstraction. Top belongs to this 

category. | 

Constructors can be further classified inte two different groups; information adding 
operations and information tenoving operations. Information adding operations place new 
_ information in the data abstraction.. For example, push is.an information adding Soetaiion 


for integer push down stack. Its complement, pop, is an ‘information removing operation. 


“hic 


This type of operation removes information from an object of the data abstraction and : 
results in a new object of the data abstraction whose information content is a subset of the | 
information content of the original ob ject (Kapur 78). 

A data abstraction ‘provides the same aids to abstraction as a procedure and allows 
one to separate the implementation’ detafts of a data abstraction from its behavior. The 
behavior of a data abstraction can be described by a specification. A specification of a data 
abstraction specifies the names — Ger ines: the abstract meaning of the pisociaten operations 
of the data abstraction. It describes what the data abstraction does but not how it is done. 
, oe AA iiplementation of a data 
abstraction describes the representation of objects | of ‘the: data abstraction: ‘and: the 


This ‘latter task is eee by an im 


implementation of the operations that act upon these objects. Though these: different 
attributes of speeeaen ‘and implementation ‘are in practice, highly” interdependent, ‘they 
represent: logically Penne concepts (Guttag 75). 
| ' The main concern of this thesis: is the speeifination of data: abstractions. - 
Specification is important because it describes. the abstract: object which has been conceived 
in someone’s mind. It can be used as a communication medium among designers and 
implementors to insure that an implementor understands the designer’ intentions: about the 
data abstraction he is coding [Liskov and Zilles 75). 

| Moreover, if a formal apecitication technique, one with an es daca | and precisely 
defined syntax and semantics, is used, even: further. ‘eae ‘can be derived. Formal 
specifications can be studied mathematically so that questions, such 3 as the equivalence of two 
different specifications, may be posed and rigorously answered. Also, formal, specifications 


can serve as the basis for proofs of correctness of programs. If a programming language's 


Semantics are defined sorriatty UMiine and Strachey 76), properties of a program written. in 
this isngusge can be formally proved. The correctness of the. program can then be praved 
by establishing the equivalence of these properties ard the specification... Finally, formal 
Specifications can be meaningfully prectined by. 2 computer. LLiskew. arid. Zittes 751, (Liskov 
and Berzins 77}. Since this processing can be depen. sibtsnns of tenplementation, it can 
provide design and. configuration guidetines during pragrach develepanent, | | 


1.2 Parnas’s Approach to Specification 


The information contained in the specification of 4. date abstraction, can de. divided 
into a syntactic part and a semantic part LLiskey and: Zélies. 75). The syntactic part provides 
a4 vocabulary of terms or symbols. that are used by the semantic. gatt to express the actual 
meaning or behavior of the data abstraction. Twa. different. approaches are used in 
capturing this meaning; either an explicit, abstract model te. supgitied for. tthe clnas: of objects 
‘ane its: associated operations are defined in terms of this modal, ar. the class of ob jects is 
def ined. implicitly vie descriptions of the operations [iishov: and Zihee- 783. 

Parnas {Parnas 72] has developed a technique and. “notation for writing 
‘gpectfications based on the-impticit. approach. His apepifiention, achame was deviséd with’ the 
_ following goats in mind (Parnas 72): 

D The specification ust provide to the wri ese as 


all the information that fe-will need to-cosrertiy.use 
the ob ject specified, and nothing more. 


1 


2) The specification must provide to the implementor all 
the information about the intended use of the ob ject 
specified that he needs to implement the specification, 
and no additional information. 


3) The specification should discuss the ob ject specified 
in the terms normally used by user and ci ee ompaaea alike 
rather than in some other aret or discourse. * 

When using Parnas's technique, each data ob ject is viewed as the state of an 
sbauiack (and not necessarily finite) state machine and, in Parnas's specifications, this state set 
is implicitly defined. The basic idea is to separate the operations of the data abstraction into 
two distinct stole those which do not change the state bist afluw some ‘aspect of the state:to 
be observed, the vatue returning of V functions, ‘ana those which ‘change the state, the | 
operation or O-functions. The specifications are then’ written ‘By stating the effect ofeach 


O-function on the result of each V-function. ‘THis tinplicitly defines the smallest set of 


states necessary ‘to distinguish the variations in the -résults' of tive ¥-functions [Liskov and 
Zilles 751. It also determines the transitions among’ these states caused by the’ O-functions, oe 
| Returning to the integer push down stack exartypte; consider the. Gperations top and 
push. Top'is a V-function that is defined as long as the stack 'is'not' empty, and push'tsan 
O-function that effects the result of top. These operations might be specified as in Figure 1, 
where depth is anather V-function whose definition Is nét’ shown ete,’ but’ reflects the 
number of integers in the stack. Quotes around a V-function ‘are’ used to indicate its ‘value 
after the O-function is executed aa | | | | 


A problem with this approach fs that certain’O=functions may have delayed effects 


1. This interpretation of quotes dif fers from that in [Parnas 72, 75). 


Figure 1. Top and Push 


= V-f snd 
—P pata yx 


push « 0-funotian(a:inte 
Applicability Condit depth < 100 
Effects Séetion: tp’ « a 
‘depth’ «depth +t 
rid push | 


onthe V-functions. in other words, some. property of, tye state will be observed by a 
. pl, push tes 2 delayed 
| effect on top. in the sense that after a new element hen been pushed gn the sack, the former 
top of the stack element is hia Jonger observable by sop but Kt will be if pop ts used. 

Partvas used. an inorinal lnngwage, to exgren shee delayed efferts [Parnes 72,750. 
In his. specifications, he included a section, clei eitll, praperte 


Me, fat describing. bing. delayed! 
effects in English, at times. interlaced with simple 5 at yuitee : (Parnas 75). For 


V-function only after some O-function has been mee. For exe 


example to spect the teraction of push aed Jona ah, Paes we the phrase “The 
sequence PUSH(a);POP has.no net effect if ho error cal epeur” (Parnas 75). 


One method to formalty describe detayed effects ts tpt 


CPrice 73) to represent aspects of the state. which are nen inven 


V-funictions are not operations associated with the data abstraction being defined. They are 


“introduced to store values of other V-functions and in this marwer they solve the 


' representational problems caused by delayed effects. Since they are ot Operations erations of tie 
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data abstraction, users of the abstraction should not be able to use them. As: an example, in 
the specification of a push down stack, one could introduce a hidden V-function stack to | 
store the former top of the stuck element. | | | 

This aapruach has been followed by researchers at the Stanford Research Institute 
[Robinson 77), (Spitzen 76). However, their main concern with Parnas’s. approach to 
specification is its use in a general methodology for the design, implementation and proof of | 
large software systems [Robinson 75}, (Neumann 74). With this goal in mind, they have 
designed a specification language, called SPECIAL, for describing Parnas-type specif ications 


CRoubine 76). But, no formal semantics have been provided for SPECIAL. 
1.3 State Machine Specifications 


This thesis ee a formal specification technique based on Parnas’ ideas. The 
specifications written using this technique are called state machine specifications and ‘employ 
hidden V-functions. The specification technique described in this thesis is similar to work _ 
being done at the Stanford Research Institute. No ‘attempt is made to formalize Parnas’ 
notion of a modular properties section. | | . 

An example of a state machine specif ication is given below in Figure 2. Here, the 
data abstraction defined is a bounded integer stack with the following operations. Top isa 
‘V-function that is defined as long as the stack is not empty and retiirns the top of the stack. 
Depth is another V-function that reflects the number of integers in the stack. Push and ‘pop 
are O-functions that insert and delete, respectively, Integers from the top of the stack. _ 

Notice that there are three different types of ‘V-furictions included in the 


specification. The Aidden V-functions are used to represent aspects of the state that are fot 
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Figure 2. Bounded integer Stack 


_ bounded stack = , state machine Is push, pep, tap, depth 


depth = non-derived V-funetioni ) retures wpe 
. Appl. Cond: trum. ' 
initial Vaine: 0 
end depth 


stack = hiddan V-funetion Hage 
Appl. Cend.: 1 <1 < dept 
Initio) Value: undefioed 


end stack 


#) resurne integer 


top = = derived V-funstinn ) returns integer 


pop = O-function() — 
Appl. Cond.: depth = 9) 
Effects: depth’ =.depth - 1 
end pop 


push = 0-funetion(a:integer) 
Appl. Cond: depth < 1p 
- ihaote tapi epth +1 
paerrlnagy: +De a 
end push — 


end bounded_stack 


‘immediately observable. Recall the delayed effect of push on top. ‘When anew element. is 
_ pushed. on.the stack, the-former top of stack element is no jonger observable ‘by top but it wil 

be if pop is used. This value is stored in the hidden V-fynetion stack. Hidden ¥-fypegions 
- @re nat directly accessible to users of the data abstraction, but Smited access to them is 


provided by the derived V-functions, which are defined in terms of the hidden and 
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non-derived V-functions. Non-derived V-functions are also accessible to users of the data 
abstraction. . They are inquiry operations that reveal intrinsic aspects of the data abstraction 
defined by the specification. | | | 

Note that the specification in Figure 2 uses two.data abstractions, namely the — 


integers and Booleans, which are distinct from the data abstraction defined by the machine. 


These data abstractions are called the defining, abstractions. They are not restricted to 
contain only the integers and Booleans and can consist of an entire collection of data 
abstractions. The defining abstractions are usually. simple Abstractions that are used to 
| construct more complicated state machine specifications. , 
The defining abstractions. are used in. the domain aod Fange of the V-functions and 
o- functions. They constitute the Information, that. the | O-fupctions,. the constructors, add or 
remove f rom.the data abstraction. They are.also the, results that the V-f unctions, the inguir y 
operations, return. The def ining. abstractions are asgumed to be def: ined elsewhere either by 
state machines or some other formal specif ication. technique. | . . . 
The semantics of a state machine can be defined ay Giving the following 
interpretation to the V-functions and O-functions. In every state of the machine, some 
mapping is associated with each V-function. These mappings characterfie the state. They 
represent the Information that the V-functions reveal about each state, In fact, since the 
derived V-functions are defined in terms of the nen-derived and hidden V-functions, the 
paver a state machine is. completely characterized by the os pings of the non-derived and 
‘hidden V-functions. The O-functions change the state of the machine by redefining these 


mappings. 
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1.4 Uses of State Machines 


As was previously discussed, formal specificatioits cam t ‘studied mathematicatty 
So, state machine sssciticaiions can be used to prove properties of Gata gbstractions or the 
equivalence of different specifications. Furthermore, they can be‘ used as an-tirambiguous 
_communications medium among programmers due to their precisely defined semantics. But 
one of their most important uses will be to serve as the baits for proofs of program 
correctness. | i 

Establishing program correctness can be desctited as a two step process with the 
overall goal of showing that a program correctly inigfemnents a concept that exists in 
someone's mind. First, a formal description of the concep 1s tibeded. This can be done by a 


analytic means. (Hoare 72a) has described a method to aconmnpttely Mis fatter taxk. 


formal specification. Then, the program is provéd eqotvalgnt to the % 


However, Hoare’s method requires some ‘itfaptations to mest the special needs of 
state machines. Accordingly, this thesis also discoteds thave citiniges' and haw to perform 


‘proofs of correctness using state machines. 
16 The Outline of the Thesis 


Chapter 2 presents a model for the semantics of state machine specifications. Firat, 


“the basic components that every state machine must contaffy are discussed. ‘Then these ‘bask 


“components are used to develop a model for the semantics of a state machine. The 
“discussion in this chapter is abstract, presentiig only the ob jects that the bazit components of 


any state machine must specify but not discussing an actual language to specify these: objects. 
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Hence, the model developed is quite general and not tied’ to a particular ‘specification 
. language. However, this model is restricted to state machines that only contain unary 
operations on the data abstraction defined by the machine. ioe 
‘Chapter 3 — an actual specification language (. sate | machines, It is a 
complement to the abstract discussion in rie ae 2 and uses the model —— in i al . 
2 tof ormalize the semantics of this concrete specification language. | 

Chapters 4 and 5 discuss and ihustrate a _method to prove the correctness of an 
implementation of a data abstraction specif ted be! a state machine. 

Chapter 6 extends the model for the semantics of state ‘machines described | in 
Chapter 2 by lifting the restriction to unary operations. _ . 

Chapter 7 concludes this thesis with an evaluation all the work presented ~~ some 


suggestions for extensions to the state machine specification technique. 7 


ae 
‘2. A Model for State Manninen 


‘This chapter presents a model for the semantics of state ‘alii specifications. cin 
Section 2.1, the basic components that every state machine specication mast contain are 
discussed. Section 21 only defines the smtactic constraints tha © ithte fiuichine ap 


mast satisf y. Semantic issues concerning whether ‘the machine 1s well-defined 
are discussed in Section 2.2, which shows how these bee compen canbe edt devitop 


‘er oe 


a model for the semantics of a state machine. Here, each machine is ron Se by a set of 


states, where each state is modelled by a sé of fundions corresponding to the hidden and 7 
“‘non-derived V-functions; O-functions define transitions between biases. 


The discussion here is abstract, presen only the ate that the basic deneune . 


these objects. Hence, the model developed here is quite general and ‘epplicabite | in ate 
machine specified using a combination of V-functions and O-funetions. It is not, however, — 


applicable to state machines specified using something shinier to Parnas’s modular p ope te 


section. 
2.1 The Basic Components of a State Machine 


The state machines: considered here are specified using V-functions and 
O-functions. In principle, one could define a state machine without any V-functions. Such 
a specif ication, however, would be singutarly uninteresting. Without V-functions there 
would be no way to observe the state of the machine and, hence, no way to distinguish ane | 


member of the data abstraction defined by the machine from any other member. So, we 
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shall assume all state machines have one or more V-functions.. 
Furthermore, most interesting sate machine specif bation will contain one or more 
O-functions since, without O-functions, a state machine can 1 only specify 8 a data abstraction 


| containing exactly one element. 
2.1.1 V-funoctions. 


As was discussed in Chapter 1, there are wee types of V-functions; the non-derived 
V-functions and the hidden V-functions, which a are primitive and the derived V-functions, 


which are not primitive but are def ined in terms of the other two. 


2.1.1.1 Non-derived and. Hidden V-fanatlons j 


Non-derived and hidden V-functions are specified analogously. Each non-derived 
or hidden V- function Vv has three sections ry ‘its definition: a mapping description, an 


applicability condition and an initial value section. 


Figure 3. Non-derived or hidden V-functionv 


Mapping Description: Dy:Ry . 
Applicability Condition: ©: :9x D, > Boolean. 
initial Value: init ef D, 4 ® we 


First, let [A + BI denote the set of part fumetions rom the set a to ie set B. In 
each state S of the state machine some particular mapping s ‘rom (Dy > R 9 will be 


associated with v, where Dy and R, are specified by the V-function’s mapping desripion 
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This mapping, of course, varies with the state of the machine. ok general, the mapping 
associated with v will not be total. As an example in Figure 2 of Chapter 1, any mapping 
associated with stack isa member of Cnteger ” integer), 


The sets Dy and Ry also carry the following i pg, the dae 


abstraction defined by the machine. In general, they wil be | the cartesian product 
G, x ... x G,, of a group of sets. But the G, are restricted so tiat'no élenient'of the'data 
__, abstraction defined by the machine may be an element of any of the G;. This restriction 
only allows the definition of unary operations on n the deta sharaction _specifed by the 
machine, For example, in the def inition of the = abaracton tnteger sat, it is not possible. 
to define a function which. computes the union. of twer sets. ‘at pe dation te 


unary Oprraen: has, whith* ‘determines ifa set contains-a-giv bi ike. 


Now, since the state of the machine is characterized bya a set ofr n 


Myf os 


$ associated 


=, ovis tad 


__with each non-derived and hidden, V-function, we can View the state set a: asa subset of | 


eg 


(Dy, 7 Ry, 13 x (Dy Bea! . 
where (vj... svg) the sto non-derived and iden V-funsios ofthe machine In most. 


cases, % is a proper subset of D. This occurs when a an: 


F asthil 5 


of % contains, as an element, 
a - function that can never be associated with a non-derived or hidden V-function. For 


Kamps: in the houndes Stack exempt Chan 


the integers can never be associated vith stack, Hie 
The applicability condition of a V-function governs when a cail of that function by 
a user of the machine succeeds. This section species a partial function w, from D x Dy 
into the Booleans. Hence, the success sof a : call depends on ‘the state of the machine. For any 


HD, and: boat | y(S,x) iaikevaluateto tribe forthe V-function to return the value v5 
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. where Vg denotes the mapping associated with v in state S. When (Sx) equals false, v 
returns an error condition. 

The initial value section of a non-derived or hidden V-function v defines the 
mapping associated with v in the initial state of the machine. This section specifies one 
member, denoted init,, of [D, > Ry). In practice, for non-derived V-functions, init, is 


usually a constant, total function. 


2.1.1.2 Derived V-functions 


A derived V-function v also has three sections in its definition: a mapping 
description, an applicability condition and a derivation section. The mapping description and 
applicability condition are defined in the same manner and have the same interpretation as 
the mapping description and applicability section of a non-derived or hidden V-function. 


The derivation section is unique to this type of function. 


Figure 4, Derived V-function v_ 


Mapping Description: Dy; Ry 
Applicability Condition: @:D x D, + Boolean 
Derivation: der v such that (der ve)e[D, + Ry] for states S 


The derivation section specifies the mapping associated with v in terms of the 
mappings associated with the hidden and non-derived V-functions. This section defines a: 


function schema, denoted der v, expressed as the composition of the non-derived and hidden 
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v- -f unctions of the machine and other functions ase =" the elements of Dy. ‘The 
ates mapping associated with the schema, denoted (der v5) depends on the state s of 
the machine, which contains an Mn interpretation: for the non-derived and hidden v-f unctions. 
| As an example, consider the derivation section of top in Figure 2 ¢ "7 Conger 1. In any state 
| s, Pp returns the value stach( depth). This vas is of course, dependent on the mappings 


aasiciated with stack aid depth in state S. 
2.1.2 O-functions 


O-functions too have three sections in their definition. . They are a mapping 


description, an applicability condition and an effects section. 


Figure 6, O-function o 


Mapping Description: D,, 
Applicability Condition: 8: 2 x D, + Banlean 
Effects Section TD x D, +B 


In a given state, each O-function 9. is a roeraber of [Dy ~» 3), where Da is given 


Pe. £2 


by the mapping description and SB is the state set-of thé machine. As with V-functions, Dy 
will, in general, equal the cartesian product of a group of sets be x... KX Gy which are 
_gonstrained so that no element of the — abstraction def ined by the machine may be an 
element of any of the G,.__ The range of the O-functien is not ppecified. by the mapping 


description since it is understood that the range of all O-functions js the state set. 
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The applicability condition of an O-function determines when the O-function 
changes the state of the machine. As for V-functions, this section def ines a partial function 
W,, from D x Dg into the Booleans. @,, must evaluate to. true for the function to change 
_the state of the machine. Otherwise, an error condition is raised and the State remains 
unchanged. For example, the applicability condition of pop in Figure 2 of Chapter 1 
prohibits its execution when the stack is empty. 7 

The effects section of an O-function specif ies how the function changes the state of 


the machine. This section defines a partial function T, from Dx Dg into D. 
2.2 The Semantics of a State Machine - 
2.2.1 The State Set of a State Machine | 


As was previously mentioned, a state of a sate machine is modelled by mappings” 
associated with each non-derived and hidden V-function of the machine. Hence, we view 
the state set, B, of a state machine in the following manner: 

BclDy, + Ry Ix ..x (Dy + Ry T= ® 
where {vj,...Vq) is the set of non-derived and hidden V-functions of the machine.! Note 
that Dy, and Ry, are specified by v;'s mapping description. | 

Our purpose in this section is to define 3. Here, a constructive approach will be 
‘used. Note that the initial state of a state machine is explicitly defined by the initial value 
sections of the non-derived and hidden V-Functioni. "This tata) sate, Q. can generate the 


State set by means of the following éeassteuctioe 


1. Recall (A + B) = {ff is a partial function from A to B} 
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D Qis arecement of B. 


2) If S is an element of 3 and o is an O-fupction call, 
then the state $* obtained by applying 0 to & is an element of S. . 


. 8) These are the only members of SB. 
So, to define &®, it suffices to define the initial state of the machine and then to describe the 
state changes caused by O-function calls or, ns general, how an O-function call maps. one 
member of D into another. | | . 
The initial state Q is the tuple (nity o-dilty, containing the mappings derived 
_ from the initial valud section of each of the non-derived and hidden V-functions (¥p--.¥q)- 
Furthermore, the next state function has the fojiowing definition. 


Definition 
Let o be an O-function with mapping a, “in its applicability condition 


and mapping Zin its effects section. 


Let aeD, and’ RB. 
Then, 


(Ra) if WRa-true 
NEXT(Ra) = 


R if S(Ralafaise 


Thus, the state set is generated as fatlows. 


DOB. 


2) If Re g® and ois an O-function, then if NEXT(R,oa) Is defined, 
NEXT(R,oa)e ®H where aeDo. 


3) These are the only elements of 3. 
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In other words, the state set SB is the closure of Q under the state transition function 
associated with the O-functions. Note that in 2) above NEXT(R,oa) may be undefined. 
This depends on the functions T, and %,. | 

Recall that a ds,a partial function. So, it is possible for some state S and xtDo 
that T.(S,x) is undefined. Then, if %,(S,x)=true, NEXT(S,0,x) would be.undefined. This 
situation is undesirable since when W,(S,x)=true, a state. change should occug. Furthermore, 
M, is also a partial f unction. Here, it is possible for some state S° and x°eDy that MIS°x9 
is undefined, again making NEXT(S".0,x") undefined. These two considerations. lead .us to 
the notion of a well-defined state machine. 

Definition 

A state machine is well-defined if for any Se® and O-function o 

NEXT(S,o,a) is defined where acDy.. - 

This definition guarantees that in a_ well-defined .state machine, for every 
O-function 0, W,, is a total function from SB x Dg. inte the Booleans and q, ‘is a total 
function from (Sale ® x Dy! W,(S,a)} into. 53. This can. be. seen by inspection of the 


definition of NEXT. 
2.2.2 The Semantics of V-functions and O-fanetions 


With this definition of the state set SS of a state machine speci ication, it is is possible 
to f ormally define the meaning of the O-functions and ‘V-functions. This will be done by 


defining mappings V-Eval for V-functions and O-Eval for O-functions such that 
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V-Eval.® x NV > [A> R) 
and 


O-Eval:S x NO 9 (A> $) 


Where NV is the set of V-function nates, A is the Set Of arguineints, R is the set of results 
and NO is the set of O-fanction names. “ 

”” First, it ts necessary to ded! with some notational. detail, Hete, tie notation boxy” 
ji WIR be used to raise 


hea Pes 


has the vatte x if 6 is true ated the vate y HO is fate. Tits 
‘wn error condition when a Tunctton's applicability covidition 8 rot satiated. 
O-Eval will be defined first. Now, given a state S an@ an O-function 0, O-Evat 


returns a function from Dg into 3B U {error}. So, using lambda notation, — 
O-EvakS.o) = AaLW, (Sa) + NEXT(Saa)errue} 


O-EvatlS,0) is not necessarily total since either'W,t8a) or NEXT(S,o) can be 
undefined. However, O-EvattS,o? is always a total function th a Will-definved state machine. 
For any V-function v and state S, V-Evat’ wit’ remmn's function from Dy inta 
R, U {error}. First, for a non-derived or hidden V-function v and a state S, recall that Vg 
denotes the f unction associated with v in state S. Then for any non-derived, or bidden 


V-function v with applicability condition Wf, 


V-EvakS,v) - ral (Sa) + vs(a),erroe) 
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Finally, for a derived. V-function v with applicabifity condition @,, and derivation 


V-Eval(S,v) = Aal® (Sa) ~ (der vg)(a),error] 


‘Note that V-Evat(S,v) is not necessarily defined over the entire set Dy since M,(S,a) 
can be undefined or, depending on the type of V-function, vg(a) or (der veMa) can be 
undefinéd when W.(Sa)etrue. When this Is not the case, we say the state machine 1s 
‘consistent. _ | | et ie 


Def inition . 
A state machine is consistent if V-EvaKS,v) is a total function f rom Dy 


into R, U fergor} for every state SeSB.and V.-function:v. 


In a consistent state machine, wy ‘is always a total function from % : x Dy into the 


Booleans and Vs or (der vg) is always: a total function from ixeDy u " (520) into a Ry. 
2.2.3 An Induction Principle 


Since any state of a state machine is generated by zero of more O-f unetion calls, the 
structural induction principle (Burstall 69) . -hotds here, \ Jn atructural induction, proofs 
proceed by course of values induction on the compress * the structure? wntens for state, 
machines, means that to prove the data abstraction def. ined by the imachine has Secbeity P, 
one must prove that the initial state has property P,-and ‘that 4 all states produced by zero 


through n-1 O-function calls have P, the P is true after n O-function calls. This is one 


2. The general schema of course of values induction on the natural numbers is: 
PCO), V KViCCi<j A PCD) + PCP) + VkPCh) 
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advantage of the generative approach used in this model to define the state set. 
2.2.4 Proving Properties of State Machines 


Although it is not posaible to extablish formalty thet a state ninchine specification is 
correct with respect to our intuition, there are certain proportion, that a specification should 
satsty to enhance our confidence in its correctness. Fwo important properties of a state 
‘machine are whether or not: it is well-defined or _Conalanant, . na well-defined machine, the 
O-functions behave properly, either changing the state or informing the user of an error. In 
a consistent machine, the same is true of the V-functions. They either return a value or raise 
an error condition. | 

A state machine is well-defined when NEXT is # total function. Tliis occurs wher, 
for every O-function o, %, is a total function from ». x Do , into the baermued and Zo. 
total function from (Sade x Dy | © ofSabl into 
Since & is defined senaratively: a state machine can be proved to be well-defined: 
NEXT(Q .o,a) is defined for all O-functions o and aeD, and then assuming 


by using structural induction. As outlined: in: Section: DS! HA 


NEX TENE T(INEK T(Q 0), 0p) 0p o);...0y_ Rn_p) 
is defined for all aje Do, n2z2 and then proving that 
NEXT(..NEX T(NEX T(Q 0jp),09:89)-..0,Ry) 


is defined for all aj¢Dg. In practice, however, it may be necessary to strenghten the 


inductive hypothesis .to. simplify the. proof. 
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A state machine is consistent when, for every V-functton v, W, is a total function 
from 38 x Dy, into the Booleans and, for every non-derived or hidden V-function v and 
state Se SS, vg is a total function from {al eDy and M,(S,a)} into R, and for every derived 
V-function v, (der vg) is a total function from fal ac Dy and (Sad) into Ry. All these 
properties can be established by using structural induction in the manner outlined above. 

In general, for most practical specifications, the task of proving that a state machine 
is well-defined or consistent is not ‘extremely diffieuk but rather tedious due to the many 
cases that must be verified. The hardest step in a proof usually involves discovering an 
inductive hypothests that aftows the proof to follow readily. These comments are illustrated 
by the example in Section 3.3 of Chapter 3 where ‘ specification of a queue is shown. to be 
well-def ined and consistent. hee | 7 

Note, however, that both the problems of determining whether or not an arbitrary 
| state machine is well-defined and determining whether or not an arbitrary state machine is 
consistent are undecidable. This situation arises, since both problems can be reduced to the 
halting problem for Turing machines {Hennie 77. These two results are established for the 
Specification language of Chapter 3 in Appendix 1. However, they are not language ‘i 
HeperCene: : | 

The reductions for both problems are similar. Below, the Feduetion for the question 
of determining whether or not a state machine is well-defined is sketched. Here, we shall 
actually reduce this problem to the blank tape halting problem which is, in turn, reducible to 

the halting problem for Turing machines (Hennie 773. So, consider a deterministic, one-tape, 
| one-head Turing machine T. Ts remputaton on blank tape. can be sirvitated. by the 


following state machine TUR. 


TUR comets of the following functions: 


 tapeti) 


that returns the Poolean valde true. Now recall Gin aye ius 
halts when it réches a stite and input syrieel For whien tes neat slate Femction is undefined. 


ion of « Turing machine 


“oh Bs pho. 


The function in twove's étfeets section shal be 7 


"defined for every pair Hic eli Tegel tok boii 


that corresponds 6 ich step in T's comput way EE ey 
If T's computation when startet on bank tape hts, tn wil evennutiy reach a 


state and input fymbot ‘for which its next stéte function p ondefined. So, in TUR’s 
. ‘simufation of T, a state S of TUR will be reached thet corresponds is to this ituation. Then, 
by construction, NEXT(Smove) ts undefined so TUR is not weli-difined. On the other 


hand, if TUR fs not well-defined, the function in moves eb facie section: mast bie undefined 


rate 


i on. Sagat: 


Fame § lee 


this corresponds to T halting. Thus, TUR is well-defined if and only if T does not halt 


when started on blank tape. 
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8. A Language for State Machine Specifications ia 


This chapter presents the syntax and semantics of a spetification language for state 
machines called ALMS (A Language for Machine Specifications). Section $1 describes the 
syntax of ALMS and Section 3.2 diivaisses its semantics. | | 

The an here is concrete, dealing with a specific eneoane: and its semantics. 
This chapter isa complement to the abstract discussion in Chapter 2. It shows how an actual 
language can be used to specify state machines and hee its semantics can be defined using 
the model in Chapter 2 as a guide. The chapter conchides with an example discussing a 
proof that a particular machine is well-defined and conaietent 

ALMS is similar in spirit and appronch to SPECIAL [Roubine 76), srr 
cation language based on Parnas’ approach. However, there are significant 
differences between the two y tanguages ALMS was developed soley to iMustrate how to use 
the model in Chapter 2 to define the semantics of a state machine specficiation language. It 
is a simple language and does not have the features nor the expressive power that would be 
found in a specification language intended for use in the development of software systems. : 
For example, when using ALMS to specify a. symbol table for a block structured tanguage, 
one can not define a V-function that returns the attributes associated with an identif ier in 
the most local scope in which it occurs. This happens since ALMS contains no iteration or 
recursion constructs. ALMS can be extended to have these features but this would be 
beyond the intent of this chapter. 2 

SPECIAL, however, was designed explicitly for specif ying software systems. It is 


intended to be used in conjunction with a methodology for the design, implementation and 


proof of computer systems [Roubine 76]. It naturally contains more features than ALMS. In 
SPECIAL, there are more censtructs for defining: the effects:section of O-functions and the 
derivation section of derived V-functions. Faeries, seas Perrnns bad ae inition of 


ereater than unary operations ¢ on n the data abstraction defined: by the machine. 
3.1 The Syntax of ALMS 


An example of a state machine spesitication, descrived wane: ALMS, is given below 
in Figure 6. Here, the data abstraction Get ined is a symbol table for use in a block 
structured language. It has the following operations Add is Y edhe that places an 
identifier and its attributes into the symbol table at the current. £ scoping level. We assume 


here that an identifier.and its attrijutes, are character yatrings 2nd. denote this type by string. 


The current scoping level is given by the non-derived ‘Vfunction level. It can be 
incremented and decremented by the O-functions inc_level and dec_level, ‘especively. 
Retrieve is a derived V-function that returns the atiribujes of an identifier in a ‘given level 
of the table and present? is another derived V-fanttion that indicates whether or not an 
identifier has already been placed into a given scoping level of the table. The f unctions P) 
and ‘Pp used in these two derived V-functions's derivatiqns afe,prajection functions that 
return the first and second components, respectively, of an ordered pair. ‘They simply permit 
one hidden V-function instead of two. Finally, table_storoge ia a hidden V-function used 
‘for storage purposes. | 

This specification illustrates the three major components of a state machine — 
described using ALMS: the defining abstractions, the interface. description and the 


definitions of the V-functions and O-functions. The interface description provides a very 


Figure 6. Symbol Table 
_ symbol table = state machine is ade, inc_Jevel, dec_level; retrieve, present?, level 


level = non-derived V-funetion( ) returns integer 
Appl Cend.:-true °°. 
Initial Value: 0 
end ere 


table_storage = hidden V-functiom(a: imager tring returns string x Booleans 
Appl. Cond.: true 
initia) Value: (don't care,faise) . 
end table_storage 


retrieve = derived V=function(a:integerAatring) returns string 


Appl. Cond.: Poltable_storage(ge) 
Derivation: retrieve(aD . Fable toragta 


end retrieve © 


present? = derived V-functionta:integer sitting ng) retores 
Appi. Cond.: true soe 
vation: presenta.) = Poltabhe.s oti 
end present? 


add = O-functionii, j:string) 
' Appl. Cond.: ~Poltable_storagetlevel,i) 


Effects: ‘table_storage’{leveld), = (p.true). 
end add 


inc_level = O-function( ) 
Appi. Cond.: true 
Effects: ‘level’ = level + 1 
end inc_level 


dec_level = O-function( ) 
Appl. Cond.: level > 0 
Effects: ‘level’ = level - } 
end dec_level 


end symbol_table 
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brief description of the V-functions and O:fenciipine-thet users of the machine may. empley. 
These functions, ub: with the hidden Voenons are eal defined in the body of the 
machine. In these def initions, the defining abstractions are : used. Here, they compose baie 
domain and range of the V-functions and O-functons and, further, trough ther 


associated functions, help specify the meaning of the V-funetions and O-functions 
3.1.1 The. Defintag Abstractions 


As was discussed in Chapter 1, a state | machine uses | data abstractions that are 
distinct from the data abstraction defined by the machine These abstractions are called ane 
defining abstractions. They a are assumed to be defined ehewhere. 

In the remainder of this thesis, we shall use the integefs, character strings and 
Booleans as defining abstractions and associate the usual operations with them. 
Furthermore, the set {A}, where A is the erage) xring, wil be used as the domain of nuflery 
v- functions ei O- functions. . 

ALMS can, of course, have other def ining abstractions besides these ane: We will, 
however, leave the actual collection of def ining snioeacie at led and only assume that 
it at least contains the integers, character strings and Feowens, | 

Note also that the collection of defining eens can be augmented dynamically 
in the sense that once a a data Speracne: is otis in ALMS, such. as peeneen-steck in 
Chapter i it can be used as a setting: Seen - “other specifications - So, the 
‘specification of a symbol table for a block structured language could use POT ee HEE in its 


Specification. We however ne not to ide this i the aye = in Figure 6. 
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3.1.2 The Interface Description 


In ALMS, | the tnterface banc oad of a state snitihina provides a very brief 
description of the interface that the machine presents to om outside environment. It consists 
of the name of the data abstraction defined by the machine and a Hs of the functions that 
users of the machine may iy Gioloy : 

symbol_table = state machine Is add, inc_Jevel, der_jevel, retrieve, present?, levet : 
The list, of functions contains the name of. oray ‘Ron-oriees Vteneion, derived 


V-function and O-function in the machine. The names sof hidden V-functions pie not: 


appeat in the interface description as they are not t available outside the caching 
3.1.3 V-functions 


This section specifies the syntax for the three tpes of ‘V-tunctions of a state 
machine, the non-derived, hidden and derived V-functions. In the. next section, the syntax 
of O-functions is given. Recall that non-derived V-functions are 1 primkive aspects of the 
data abstraction defined by the machine.. Hidden V-funetions are 2 used to ° represent aspects 
of the state that are not immediately observable and are inaccessible to users of the machine. 
However, limited access to them is provided by the derived V-functions, which a are » def ined 
in terms of the non-derived and hidden V-functions. aa | 

Throughout this section and the next, it will be necessary to use expresstons. An 
expression is formed through the composition of the non-derived and hidden V-f unctions 
of the machine and the functions associated with ‘the defining abstractions. ‘tt aa also 


contain elements of the defining abstractions and formal arguments. The formal arguments 


eo re 


af fon, Sy fo | Ba RTs ete 
_ Serve as place holders in the expression. : 
We now turn ta the definition of an fr a er 
though all expressions were written f(. 2, sang “aA rd 


infixes such as + in examples. 


Given a particular wate machin SMe vores 


) “An cin ttn tenon Farag an enprein 


Sey Aor Teg ve Geek Be 


2 If ep ee »tpare expressions and f isa eat s1i ud.) 


V-function of SM ora fynetion associated, with. om stn fing : 


_ requires n argument, then flop 8p) 13 an eXpressige 


We shall also refer to sxpretions ad the type of value they Fetarei n upon evaluation. 


For example, a’ “Boolean ‘expression evaluates’ to ekther | ‘wee tae. Note ‘that “this 
definition excludes derived V-functions froww appearing in an expression. ‘This restriction is 
Sat j ayes: 


" made to simplify the setfidntic definition In Seation $2. tl ne arty 


Sista derived V-functions to appear in expressions. 


3.1.3.1 Non-derived ‘V-funetions 


Figure 7. 


‘The lesional ge cit-dectvadl Vtecahien opti We Ga 
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Figure 7. Syntax of a Non-derived V-function 


geil Cond.: Foneeh os ion 
Hitial ‘Vile: init as 
end name 


where t, and t, are nantes of defining abstractions arid takeet, 0 (undetieg 


for nullary V-functions such as level in Figure 6 and 


jeiiv EV -tuhetloitny tt yt, rettine - 
see V tuitions ‘Suth as Aas tn Lec ‘yd of Gnapie 


for n-ary not-dért , | | 
ira, thie equivalent of Ry of 
. The x, are the formal 


arguments of the V-fanetion. They must be distinct. Also, ty, agai she-name af a def ining 


Here, t,, the name of one of He date tee 


Section: 2.1. 1. _ is sometimes, referred to as the type ot the V-fe ction. 


_ Abstraction, is called the type Of of the Aoshi argument x). fe panies ny 
_ For a nullery., non-derived y function, Dy. aS fh. _ Fer, a nary, pon ;derived 
V-function v, Dy ts ty X ... X tp. Te ee er ee en “ad 
For pares consider the mapping dexiption of team Figure 6 | 


level = non-derived V-tuictiont ibierhe inden’ 


Here, Djeyey = {A} and Riva * integer and, in any state, the fapetiqn, snack: with level 
is a member of {{A} -» integer). 


«Be it 


The applicability condition of a non-derived  V-functjon..contains. near 
expression that determines the success of a call to the functiqn. This expression, must be type 
correct. This means that whenever an ode. is yard. ke. the. express 


on, its type must be 
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compatible with the type expected at that location.” Futttierinore, this expression must only | 
contain torre ial daitlaann that apeeet in the Ye tenetion: s mapping description. 
The i initial value section of a non-derived d V-function sped ies one element of R, or 


contains the eeu symbol undefined. This ocaibeaayh the mapping. associated. with the 


V-function. in the initial mae of the mectine to be either, a constant, total function or a 


ease undefined function. The bahia case is hoataee! ed by undefined. 


81.8.2 Hidden V-functions 


‘Hidden V-functions are specified in an analogous manner to non-derived 


pt kK Steed napping ‘description which 
contains the special symbol hidden instead of nowestierived: 


V-functions. The only differenee' occurs in ‘the: iS} 


Figure 8, Syntax of a Hidden V-function:. - 


name = hidden V-funetion(x; tp... sKpity) re remene ee 
‘Appt. Cowd: Boolean’ ‘expression 
initial Value: init 
end name 


where t, and t; are the names of defining abstractions and initet, U {undefined} 


ae 
(8,1.3.8 Derived V-funotions 


The three sections in the def inition of a derived ‘V-funetion are det ned as follows. | 
The mapping aeecipiies = differs from the mapping deucrption of a non-derived or 
“hidden V-function ‘by use of the spectal symbol nondertond. “The applica condition 
exactly follows the syntax of the applicability condition of a “non-derived. or hidden 


V-function. The derivation section is unique for this type of function. 


Figure 9. Syntax of a Derived V-function 


name = derived ¥-function(xyty,iX qty) FOturne ty 
Appl. Cond.: Boolean expresston 
Derivation: defining cuse:. 
end name 


where t, and t, are names of defining abstractions 


The derivation section of a derived V-function ¥ : nta ue sou ee detines vin 


terms of the other nen aeewied and hidden V-funetions inv ‘thes. hind. Its syntax fs 
described as foltows. 
If a derived V-function v has formal arguments xp, =» %, and type t,, then the 
derivation settion of v is of the form - | 
Derivation: v(x),...X,)) = & 
or | 
Derivation: if b then VEX 4 ,.-1% p) =e else VAX p,-u% py) = € 


Here, b is a boolean expression and e; and eg are expressions of type t,. Again, 


~H- 
these expressions must be type correct and only use formal arguments of v. 
3.1.4 O-functions 


The general method ‘of specifying an O-function is shown below in Figure 10. 


Figure 10. Syntax of an O-function © 


name = ‘O-function(x; ty... Ky! ty) 
Appl. Cond.: Boolean expression 
Effects: equation. . 


equation, 


end name 


where ¢; is the name of a defining abstraction. 


The mapping description specifies t the domain oe the O-tunction dah identifies the 

particular function as an O-function. Its syntax is 

name = O-function( ) 
for nullary O-functions such as poplin Figure 2 of Chapter 1 and . 

name = O-function(x):t):..:X_ity) | 
for n-ary O-functions. such as .edd.in- Figure: 6. - Here, tyes the name of a defining 
shitiaction aac the x, are the formal arguments of the O-function. They must be cisminet. 
Also, t, is the type of the formal argument x;. 


For a nullary O-function, D, is {A}. For an n-ary O-function a, Do is ty X ... X tp. 


-42- 


The range of the O-function is not specified by the ng..description since. it is 


"understood that the range of any O-function is the state set of the state machine. 


The applicability condition of an O-function contains a Boolean expression. 
Naturally, this expression raust be type correct and only contain. farina? arguments from the 
oF function's mapping description. 


The effects section of an O-function coniains group of. een that, reflect hew 


the mappings associated with the non-derived and Whidden V-functions are changed by an 


ree. Oe 


-O-function call. There. are twe types of equations, ciaooll equatic ns 


and conditional 
equations. A snot ¢quation in a state machine SM is debivied as follows. 


1) Let v be a nullary non-derived or hidden V-funetian of SM having type t and 
fet e be an expression of type t. Then, _ | 


vwe 


is a simple equation. 


2) Let v bea n-ary (n>0) non-derived V-foncton or “enn V-function of SM 
having type t with Havel angina x, of type t, (ew tt «bea expansion of type and 
e, be expressions of type t,. Then, 

. v"ey,...8,) = € 


is a simple equation. 


The quotes are used to represent:the resuk returned by the’ V-funttion after 
completion of the O-function call. An unqueted Vifenetion detotés the vatue returned 


before the O-function call. 
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A conditional equation employs simple equations in its definition. Let eq; and eqo 

be simple equations and tet 6 be a Boolean expression. Then, 
at b then eq, 
‘and 
Aad b then eq; else egy’ 

"are conditional equations. Note that this def ittition’ protifbits nested conditional equations and 
blocks of equations following the then’ or else. "These: restrictions were: made onty to siriptify — 
the semantic definition ‘itt Section 3.2. No problems woud atise-if the restrictions were lifted. 

Finally, the effects section’ of an O-fuviction’ tontains a Hating ‘of conditional and 
simple equations. Its syntax is | | | 


Effects: eq) 


em ee 
The ordering is immaterial. Of course, all expressions in the effects section must be type | 


correct and contain only formal arguments of the O-function. . 


ae 4 


3.2. The Semantics of ALMS 
3.2.1 The State Set 


As was previously mentioned in Chapter 2, a state of a state machine is completely 
specified when the mapping. associated: with-each wan-derived. and: hidden V-fuaction of the 
machine is. given... Hence, we. view. the state set, B, of. a sate machine in the following 


manner: | 
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BclDy, + Ry) x _xIDy va? Rv_l - 
where (vj... a is the set of non-derived and hidden V-functions.. Note. that Dy and Ry, = 
are defined in Sections 3.1.3.1 and 3.182. ae Fee, 

Our purpose in this section is to defthe %&: Hefe, we shail use the same approach 
outlined in Section 2.2.1, taking the transitive closure of the fnitial state Q under the state 
transition function. So, to define SB, it suffices to define the initial state of the machine and 
then to describe the state change caused by an O-function call. eet 

The. initial state Q is the n-tuple (inity -Afiity, ) where {vp...¥,,) is the set of 


non-derived and hidden V-functions of the machine and 


¢ A YP tavtuaeT Ville’ section 
_ contains the word undefined 
init, = 
(ab)laeD.} if v,'s initial value 
yj { : 
' R 
parecer! 


Here, ¢ is the null set. Note that functions are represented as sets of ordered pale 

To define the-next state function of a state: acting, HA hécetsary to defitte, in 
general, how an O-function call maps one member of D into another. This mapping is done 
by the O-function’s effects section and. we now turn to describing the mani of this 
section. 

The basic components of an O-function'iefrects ‘vection are the expressions that ure 
used to build the simple wteatleits and the conditfonat equations. These expression’ are 


formed by composing the functions associated with the defining abstractions and the 
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non-detived and hidden V-functions of the machine. So, the first step in defining the next 
- «state mapping is to specify the meaning of these expressions. This ‘will be done by defining 
a function’ y that evaluates an expression. ‘Then, using pe, K Wwill be possible to describe the 


effect of a single equation. ‘This witf be doné in the definition of a function E. that specifies 


aiye 2 Hare 
sus 


‘how air equation changed the mappiiig, associated with a V- 


of the effects section will be specified by a function TE which, using E, combines the effect 
of each equation in the effects section. 


The meaning of an expression isd nt on, two items. _ First, it depends on the 


_. particular O-function or V-function gall since, in general, the expressions will contain formal 
arguments from the function's definition. Actual values must be substituted for these farmal 
aeverte en: pas gglne Qeobye foe 2 ca Start ATR gd : Rap SWRSS Prete EE ae ey es , 
arguments. Second, the meaning of the express! 


gives an interpretation to the non-derived and hidden V-functians. Mote that the functions 


associated with the defining abstractions have.a constant fixed interpretation and are 
independent of members of 9. 7 


‘So, let ReD and let # be an O-function or V-function with expression E app 
in w's definition. * Finally, let (ay,..a,)€D,. Then to find the meaning of expression E, we 


can proceed as follows. 


1) First, substitute a, for every occurrence of its corresponding formal argument in 
E, obtaining E*. . Note, if Dy = {AJ}, this step is unnecessary since @ has no formal 


arguments. 


2) Now, to evaluate E*, we shall view R as an interpretation or environment. that 


specifies, for each symbol A, the value Ap of A in R. If A is an element of a defining 
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abstraction oF one of their associated functions, then Ag is simply A. If A is a non-derived 
or hidden V-function, then Ap is the function associated with A in R. The value of 
ed by RP B® ond ts defined by 
RP ACE, Ey) = Agi ® Epa PB) | 


E* = A(Ey,.Ey) in R, foilowing (Pratt 771, wilt be den 


Since the non-derived and hidden V-functions may not be asiacigied with total functions in 


R, it ts possible that Rb E* ts undefined. 


Thus, 25 outlined above, we can define 2 semantic function wREwa) for Re®, 
expressions E inv @'s definition and ac Dy such that 4 
i R,Ewa) - Kb EF 
We inctude the O-function or V-function name @ a6 @ parame si te apo ‘ies 


Now, tet red and consider the’ stir fe en mtiok i 
| via) = - 
appearing in an O-function o's effects section. Then any. call of2) of 6, where ae BD, would ul 


change vp to the function 
p(Rfon  ifxs ais 

VR*(x) - 
vex) AE Xt Reo) 


Here, a new value is returned for the argument p(R,aos) and, otherwise, the old value is 


returned. 
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To help indicate such a function, we shall use the notation "b-+x,9" developed in 
Chapter 2. Recall this notation thas the value x if bis true.and. value y if bis false. So, 
for Vp* above we have a — ; | ee ae 
| vp = Ax L(xap(R,a,oa)) + pRBoadvp(x))  _ 

Using this notation, we define in Figure 11 an effects function 

E(R,oa,Eq) | 
that specifies the change caused by an equation Eq on a V-function. E returns the new 
mapping associated with the V-function. It shows the ef fect of a single equation and not the 
shire effects section. So, in general, E can not be observed outside the machine. 

The definition of E characterizes the expressive power of the effects section. If one 
wished to increase the expressive power of ALMS by adding constructs such as a while or for 
all statement, the definition of E would have to be extended. In. fact, this Is the only 
definition that would. require modification. Both g and TE would remain unchanged. 
This new definition of E could use the definition in Figure 11 as its basis. The effect of the 
new constructs could be defined. in terms of the effects. of their simpler parts in much the 
same manner as the effect of the if-then-else statement in Figure 11 is given in terms of the 
f irs two clauses of the definition. 

To define the next state function, we must combine the effect of all the equations in 
the effects section. This can be done by cakutating EtR,oa,Eq) for every equation in the 


effects section and then combining these mappings into a new state. 


rare 11. Effects Function 


| Def inition 
Given a state machine-speeification SM and Red, 


let o be an O-function of SM with Eq appearing in o's effects section and acDg. 
Then E¢R,0,a,Eq) is defined as follows,” 


i) If Eq is a simple equation of ‘the form y= where visa garner bp lalaaa eal 
EcRoa,Eq) = (ARieoa) | 


id) If Eq isa simple equation of the form 'o‘(w) = ¢ , then 
Einoakg = = AX LoxepiR, w,0,a)) > mRemad,yq (0) 


“HD If Eq isa conditional equation of the form if c then s where sis ee we for tw) = =¢, 


{F 


ERoa.) ia 2 wR 08) - aa 
Pei - eayhet ¥ 
_ | YR if viReoa) « = false 


iv) If Eq ts a conditional equation of the form: if.¢ thon &p elgasipethen. 


ERoa,s) if niRcoa) = true | 
Eoa.Eq) « | ee et 


E(R,oa,s9) . if p(R,co,a) = faise 


cups gia Pt Os 


First, define the function . " i : 
a roel hte He lsin * 
U (a,,..a)i0 = , | 
(ay.0a,) -. . if i<0 or ion: 


where i-is an integer. and (a,,...a,) is an n-tuple. This function changes the ith component 


oe ee renee 


of the n-tuple to c. 


Now, let o be an O-funetion with equations Eq....Fq,, in its. effects section and tet 


aeD,. Furthermore, assume 


ReD = as, sia .x (Dy v7 Rye) 


Finaly, let fj» Ena, Eq) and let 
k if E(R,oa,Eq) changes V-function ¥,'s mapping 
jim | _ a 
| n+l oi E(Roa,Eq) doesn’t change any V-function's mapping 
Then the totat effect of the effects section is given by 
TER 0A, E qj rmiEGgy) = U,6U UR Spel fd —bew Sor 


Note that a V-function net effected by an equation Eq) retains the previous 


mapping asociated with it. TEter pa,Fq....2¢,,) C 1-16 ERD in Chapter . 2. So, 


we can define the next state function as follows. 


Def niin: 


Let 0 be an O-function with Boolean expreision 6 i i applicabtity condition 
and eqistions Eqy.-sEQm in ms effects section. - 


Let acD, and Re®. 
Then, 


TER oaEq..Eqg) if ge(R,boa)=true 
NEXT(Roa) = 


R if po(R,b.0a)-false 


So, the state set can be generated as in Chapter 2. 


D QS 


<a 2) If Re SB end 0 is an O-function, then if NEXT aa) ts defined, 
NEXT(R,Oa) «8 where aeD,, 


3) These are the i elements of SB. 


Again, we must consider the question of whether ow ol NEXT. #6 well-defined. 
This i éeperidond ont w and TE. Recal that i mat esarity tora function. So, it is 
| possible for Some state ‘S and xD, that Shox) fs undef ined. Ao, TE is net m necessarily 
total so we can encounter a similar situation.. These two cases correspond to the ‘peethee 
discussed in Chapter 2, when &,(S.x) and 55.2) ave unde ned 

Besides the totality of TE, chene is a further: peabiew: thar: we:muet consider. We 
have defined the ordering of the equations Eq, “Ein as ummriaia drial it is possible 


i De snokegisciny? where # 


13a. permutation. from (4,...m) onto (1,...<0). lin ttle cnet, EAE aowtlt te’ sotelitirviinistic oF 


ae 


‘for some state S and acD, that TE 0,84y.-Laeg? # 


hat uniquely, defined in the sense, thiat its value depends-eril thie ciate of the onder of the 


equations: Eq).....Eq)p. 


To handle these situations, we must introduce’ the’ rotten of a onmapabagss state’ 


machine. Due to the last case, the definition. diffs, sigh tom tia Chapoer 2 since’ we’ 


must explicitly guarantee that TE is uniquely. defined! whecens in Ghagrer z this was: 


unnecessary since‘by definition T, was a function. 
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Definition 
A state machine SM is well-defined if for any Se, O-f unction o 


and aeD, 
both D NEXT(S,o,a) is defined 


and 2) TE(S.,Eq)---Eqgy) = TES 0a,Eqg(y---EGg(mn)) 
where equations Eq;,.:E4q,, appear th'o's effects section 


and w is any permutation from (1,..m} onto (1,..m). 
3.2.2 The Semantics of V-functions and O-functions 


With this definition of the state set 3B of a state machine specification, it is now 
possible to formally define the meaning of the O-functions and V-functions. As in 
Chapter 2, this wil be done by defining mappings V-Evat for’ V-functions and O-Eval for 
SD puneions: ; a | 

O- Eval will be defined First Now, given a state 8 and an O-function o with : 


Boolean expression b in its applicability condition, oe returns: a function from Dg into 


S&S U (error). So, using lambda notation, 
O-EvakS,o) = pase ~+ NEXT(S,oa) error] 


again O- Evans. is not ey total but ina welt-def ined state machine this is 
iwi the case. 

For any een on v and state S, V-Eval wil return a function from Dy into 
Ry U terror). Firat, for a non-derived or bidder: V teedion:\ v and a state S, recall that vs 
denotes the function mtpociated with v in state af Then for any non-derived © or hidden 


V- Function v with searedilen b in its split condition, 


V-EvakS,v) = Aa.fge(S,6,v,a) +» vola),error] 
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Finally, for a derived V-function v with expression & in its appiiesibltiey condition, 


there are two cases. 
1) If v's derivation section contains Ax pitty) ® #, teh: 
V-EvakS,v) = AaLg(S,8,v,2) + w(S,e,v.a) error] 


| ii) If v's derivation section contains if ¢ then WX pr) = e, else AX p-1%y_) = &, 


then 
V-EvakS,v) = r\a.lge(S,6,v.a) > (ytSc,v.a) -+ pay ea)oldesvadlerrer) 


As was mentioned in Chapter 2, V-EvakS,9) i nek Neceuarty & total function froth 
y into R, U ferror}. When i to he cs, we yh a EN een. ~~ 
~ definition is the same as in Chapter 2. 


8.3 An Example 


In this section, we outline a proof that a Leste state mattehne is wer Cet eee and 
“consistent. The full details of the proof are contained im " Appenatin 2 Our "example 
specification is iltustrated in Figure 12. This data abstraction is a queve with three 
operations; insert which adds an integer to the rear of iad quevs dane whch renninves the 
integer Ht he front of the queve and fst slement which reurns tNE tger at the front ot 
the queue. The hidden V-function storage is used to sore the dereents o the quede. ad 
and back point, respectively, to the beginning and end of the ol Note that this quine can 


hold an arbitrary number of integers. 


- Figure 12. Queue 


queue = state machine is insert, delete, first_element 


first_element = derived V-function( ) returns integer 
Appi. Cond.: {front = back ~ 1) 
Derivation: first_element = sain ati 
end first. stlement: eh Sth 


front = hidden V-function: rotirne integer 
Appl. Cond.: true 
Initial Value: -1 
end front: 


back = hidden. V-function() seturrs integer . 
Appl. Cond.: true 
initial Values 0 
end back 


storage = hidden V-functiontiinteger rs returns imager 
Appl. Conda-fromtaigback 
initial Value: undefined 


end storage 


insert - O-functionti:integer) 
° Appl. Cond.: true 
Effects: 'storage(back - =i 
‘back’ = back - 1 
end insert | 


delete » O-function( ) 
Appl. Cond.: front = back - 1) 
Effects: ‘front’=front=<1 
end delete 


end queue 


a 


re? ee 


We shalt first show that the specification is well-defined. This. wilk be done by 
initially proving a lemma thet captures the key properties necessary to insure that the 


Hy Mite 


well-defined. 


Lemma For any Se 3, backgef{x} > integer] and rm > integer] and 
backs Seeley ees ee in 


This lemme can be eaabtshet wang the deve mated outed in Section 2:2: 
The basis of the ici ty Pate sa Bi te® Uefined to return -1 and 
0, respectively, ln the initink state of the rmeciomne Te madeline sep Ib atko readily apparent 
For any state, prsert decrements back by 1 snd heaven fet wnchenngl Furthermore, delete 
leaves beck unchanged no only deen Fon by Hs mppheaity conciton: 
satisfied. | 

We can mow prove thatthe machine © wr unig He above Heme: This 
lemma is helprut because both frome end bac shan! Be evahatad In inserts and delete's: 


_ done. 


Fo prove that the machine ts weet net tie properties must be established! i* 
the applicability conditions of the O-functions insert wd dedete are defined i) the next: state 
function is-defined for both insert and delete, and, finutty, i) the ordering of the equations: 
in both insert’s and delete’s effects sections is immaterial. Note that iti is triviatly | 


established since delete has only one equation in its effects section: and the two equations: in: 
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insert’s effects section modify different V-functions. Thus, it is only necessary to deal with 
i) and ii). We now complete the proof. 7 | 

Since insert’s AppMCARHEY conition i isa constant and deletes applicabiity condition 
only involves front and back, which were shown by ine, lemma always to return an Anteger 
value, i) is established. The second pat of the proof is also established by appealing to the 
lemma. Since insert’s and delete s ef fects sections only evaluate front snd back, it is cleat that 
the next state function is defined for both these O-functions. 

We will now show that the specification is consistent. This involves proving that 
the four V-functions are total. First note that the lemma guarantees that front and back are 
total. Storage and first_element, however, require sai attention. Again, we must introduce a 
lemma and then prove the desired results directly from the lemma. The lemma shows that 


storage’s applicability condition accurately describes its domain. 


Lemma 


For any Se SS, if frontg 2 k > backs, then storages(k) is defined. 


This lemma can also be established by the inductive approach outlined in Section 
2.2.4. The basis is vacuously true siclce in the initial state, back is greater than front. Now 
assume the lemma is true for any state S. We must consider the ef fect of serra delete on 
S. oie delete decreases front by 1, the result immediately follows ian the inductive 
hypothesis. Now let S* = NEXT(S,insert,x). There are two cases. Either f rontse = backs« 
in which case storagece(frontg») evaluates to x, or frontge # backgs. In the latter case, 
frontss > backs» and frontge = fronts and = backge = —e 1. So for | 


frontgs 2k 2 backge + 1, storagege(k) As defined by the inductive hypothesis. Also, 


sorages bach.) evahintes to. 

Thos tense bovine enh ht ¥ Seating ie tt i any sate 8. 
To see that V- -EvaliS first element ix total in any state 8, noté thet there ace two cases First, 
_ fr omens mecca an erin tee wih te ca ba | 
error is retwened. Ovherwie, hs apptahiy condom emo wou an frants 2 bach, 
$0, by the femen, sarsanytvni) sett on prt cone 


ee 


4. An Implementation Language for State Machines _ 


Chapters 2 and 3 have focused on: formatizing the semantics of state machine 
specifications. The work accomplished in: these-two:chapeen iAMlows ene to write prétive and 
ictions 


unambiguous specifications.of data abstractions using state macHinies.’ But these atistra 
‘are only mathematical objects. They-can not be weed ‘ilrectly ‘ay 0b jects- tn’ any progtimihing 
eayuace ‘They. must First: be implemented: “Thus,-an-tinportant ‘pect tn ‘any forrmallization 
is to. be able to describe formally when: a: date abstraction? specified by a state thachine: is 
properly implemented insane programming language: [Devetoipirig tits det initton involves 
the following. First, a programming language. for implementing. state mactiines migst be 
described. This topic is ‘siictsiad in this chapter. Then, a meted of proving the 
-. Correctness of an implementation must be fined. This topte:tv treated ity the riext chapter. 
“In. this chapter, the general properties of “any programming language for 
implementing. state macund specifications : sire described; particular, ‘the’ basic data ; 
abstractions to represent the specified ‘olaguet: and: the: caininer ‘Senscruntts to inplement: ‘the 
V-furctions and. Q-furctions. This approach ‘of: Muarating: rogram cUrrectnéss is vatid 
Since any programming tanguage for implementing ‘spate “machines- must ‘include these 
unimportant here.. Accordingly, this detail ds: totaly: suppressed in this chapter,” “Rather | 
‘control. constructs. to be used. with: state “machine “specifications: are introduced. — So, 
‘igipleneniatcni of state machine specifications will be written in terms of other, sinprer: state 
inmclvivve specifications. For instance, a ‘specification of a stack, cou be. Implemented sing 


state machine specifications of variables and arrays to represent elements of ‘the data 
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abstraction and the control penance to realize the V-functions and O-functions. 

To develop a definition of program correctness, it is only necessary to def ine the 
relation between the objects of the specification and the objects of the implementation. 
Hence, since this chapter contains a general discussion of the objects of an implementation, it 
is possible in Chapter 5 to give a general definition of program correctness. To prove that 
this definition holds requires involvement with the semantics of the programming language 
and identifying correspondences between objects of the language and terms used. in the 
definition. But these issues are not a major concern for only stating the definition of a 


correct program that involves state machines. 
4.1 An Example 


An example state machine specification and its corresponding implementation are 
given in Figures 13 and 14, respectively. The data abstraction specified in Figure 13 is a 
finite integer set. Insert and remove are O-functions that insert and remove, respectively, 
integers from the set. Cardinality is a V-function that returns the number of integers in the 
set. Has is another V-function that determines whether or not a given integer. is in the set. 

Figure 14 contains an implementation of finite_integer_set. The set is stored as an 
ordered sequence of integers in the array A. INSERT, REMOVE, CARDINALITY and 
HAS are the corresponding implementations of insert, remove, cardinality and has! Each of 


these operations uses SEARCH, which performs a binary search on the array A. SEARCH 


1. Throughout this thesis, lower case letters will be used in the names of V-functions and 
O-functions of a state machine specification. Capital letters will represent their 
corresponding implementation. 


- 59 - 


- Figure 13. Specification of Finite integer Set: 


finite_integer_set = state machine Is cardinality, has, remoye, insert 


cardinality = non-derive: Wefmetine. hreterne integer 
_ Appl, Conds. sre, 
 Wnitlel Value; 0, 
end cardinality — 


has = non-derived bina ecesrar returns Boolean 
Appl. Cond.: true er ; 
initial Value: false 
end has 


“insert = 0-functiont: siege 
Appl. Cond.: cardinality<100 — 
Effects: ‘has(i) = true 
if ~has(i) then — » cardinal +1 
end insert. 


remove = Orfunction(kinteger). — 
‘Appi. Cond. true 
Effects: ‘has'()) = faise 
Af hast, Spee eee = cardinality - 1 
‘end remove 


rarcan 


end Finite_integer_set 
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Figure 14, implementation of finite integer set 


FINITE_INTEGER_ SET « implementation is INSERT, REMOVE, HAS, CARDINALITY 


A: array of integers initially undefined 
COUNT: integer variable initially 0 


_ SEARCH ~- procedure(a,f,k: integer) returns integer 
tf Fak 
then return k : 
aise tf aA: readtL(f+k/2)) y 
then return SEARCH Fi(fek)/2) 
eise return SEARCH S/2)+L0) 
end SEARCH 


INSERT = procedure(i:integer) 
if COUNT.read=0 
then begin 
A.change(0,i); 
COUNT. change()) 
end. 7 
else if COUNT. read<100 
if COUNT. read = SEARCH(i0;COUNT.read) 
then begin 
A.change(SEARCH(1| OCOUNT read); 
COUNT. changtCOUNT. reads) 
end 
aise if A. read(SEARCHO O;COUNT. read))=1 
then return 
else begin 
for j:«COUNT read step -1 uit SEARCHU.COUNT read) do 
If jol then A.changet j.A.read( $0 
A change(SEARCHii, 0,COUNT .read),D; 
COUNT .change(COUNT -read+D); : 
end 
else signal error 
end INSERT 
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REMOVE = procedure(i:integer) 
if COUNT.read=0 
then return 
else 
_ if A.read(SEARCH(i,0,COUNT .read)) =i . 
then begin = 
for Je = SEARCHU O.COUNT. read) until COUNT. reade2 do 
.A.changel,A.read( jo D);: 
COUNT ee read-1) 
end 
else return 
end REMOVE 


CARDINALITY = procedure( ) returns integer 
return COUNT.read 
end CARDINALITY 


HAS = procedure(i:integer) returns Boolean 
if COUNT .read=0 Ak 
' thenreturnfaise - . 
- else if A. readiSEARCH(),.COUNT tead)i=l 
then return true 
= else return false 
end HAS . 


end FINITE_INTEGER_SET 


returns the index where the binary search stops. 


An implementation consists of three parts: an interface description, an object 


é 


. description and operation definitions. 


Ens interface description of an implementation provides a very brief description of 


the interface that the Hnpremenralen presents to the outside environment. It consists of the 


_ name of the data abstraction being impleented and a lis of the operations that users of the 


implementation may employ. 
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FINITE_INTEGER_SET - implementation ie INSERT, REMOVE,HAS ree astaaeld 


Operations such as SEARCH whose names do not appear in oie’ ert de 


soufest ioe 


not be accessible by users of the implementation. be an oie, 


: it jesoest description — of ae 


a: ee : 
4B MF Bie MBL g 8} 


iohick the object being ds fit 


mens ut stn 


Sigseeveotatial: tthe spelt acetals: Here, ech of ‘ites data abstractions will be 


Pyare ad gles 


specified as a state machine and ALMS will be wed for tine Paigiade’ ikhough any 


specification language could be used. 


In the example the ob ct desription cons of ee) a A 
A: array of integers initially tts 
COUNT: integer variable in : ty 0 _ 
aon Sais: cays! yb ° 
These phrases are syntactic sugar for the state machine ts “bridle and an 


ewe? quay nas 


‘i’ Wirray A are used to 


array given in Figures 15 ‘ahd 1%, respeceive 


aye Ihe hari 


Represent the data abstraction. COUNT een ent ‘These 
Integers are stored as an ordered sequence in the array A from. M@.e COUNT . 


The body of the implementation consiets of 


provide Implementations of the permiaalbte a te dein sberction; the 

O-f unctions and une nen ceive a derived | V-fumetions. 3 ad batninromnrned id implement 
he tk hidden ‘V-functions since they are cinain to — * An ape 2 nm should, be 
| Sadak for vids operation _— mae ot argo ig cee en 


In our examples, bnaioeseld Sattattons am be written wing Y-functions and 


“4 $3 atin arid Re <5 1 


4 . Le + 


° functions s grouped together by the wal contro conericts: bree wows: be found in, say, 


wag mnt yk HEMT Se 


“ALGOL 60 or PASCAL. These V-funetion aad O-funcion als should ~ Rpm tes as 
: ae a een 


Figure 15. Variable 


X: type_t variable initially a is equivatent to © 


X = state machine te X:read, X.chainge a ae 


- Kread's SS ee 
Appt. Cond. tet 
Initial Vancier's 
end X.read 


X.change = O-funttiontitype 2 
Appt; Cond: true: 
Eftecte: "K.rGid’= t 


end al 


end X 


where type_t is the name'oF'a sims — of ALMS | 
_and a is an element of type_t or: 


fi 


fellows. Assume thatthe implementation maintains a réderd of the current state of the 
machines in: the object description: For example; if no O-functions have been cated, the 
implementation would view each state machine as being in its initial state. Now, each 
v4 unction call v(a) should be interpreted as 7 | 

| | V-EvakS,vMa) , 

where S, remembered by the implementation, is the current state of the V-functton’s 
machine. An O-function call ofa) is interpreted as | 


O-EvaKkS,o){a) = $* 
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Figure 16, ‘Array 


X: type_t array initially a is equivalent to 


X = state machine is X read » X.change: 


_ X.read = non-snehied ‘Vetumetiontitoteger) returns pes 


pop IE oa 


X.change = O-function jintegenieypet : 
Appl. Cond.:.trum. 
Effects: 'X.read p= i 


end X.change 
end X 


where type_t is the | name of a defining abstraction. of ALMS | 
_ and a is an element of type_t or undefined... 


where S is'as before. Furthermote, the implementation new updates.S to 8* and maintains 
S* as the current state of o's machine until another O-function of that. machine.ts calied. 


5. Proving an Implementation Correct 


To formally establish the correctriess of a program, one » must prove that the © program 
is equivalent toa specification ‘of its intended behavior by formal, analy means. This 
chapter is concerned with this process, dlacussing how | to prove | ‘the ¢ correctness of ; programs 2 
that implement data abstractions specif ied by sate machines. 

Here, the homomorphism ‘property will be used in the roots In general, this 
involves showing the following tHoare Tal. “Assume there is a class of abstract ob jects A 
with abstract LE Furthermore, suppose that x* is the concrete ob fect representing an 
abstract object belonging to ff. Let ©'be the collection of all such x* . Fina, suppose that 
"@, isa concrete operation that purports to be an Implementation of an abstract operation ~ 
Then, the ‘homomorphism property involves “defining an abstraction function, A. mapping 
from © onio Mf and showing for every operation that 

“eA = Mealx), 

Before ‘attempting such a proof, three sept must t be port ocmned: Fra, the concrete 
ob jects used to represent the elements of a ‘data abstraction must be characterized. This ts 
discussed in Section 5.1. Then the class of abstract objects Rr rust be identified. This bs 
done in Section 5.2. Finally, the abstraction fumeon em must ‘pe described. Section 53 is 
concerned with this issue and the problem of adapting the = homemerphim ona to the 


particular needs of state ‘machine specif ications. 
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5.1 The Conorete Representation 


ed OY a Rinses machine will 


558 


A concrete Sr. of a data abstraction 5 ec 


usually consist of a collection of ob jects to ‘Fepresent the wate, eet, and a group ¢ of opera 


CAG BSS 


tions 


that purport to Irmpleren the various fantons of ie seachine, Some of these operations — 
will implement O-functions ‘and others will laplement derived and non-derived 
V-functions. Note that it is unnecessary to rah thrones hidden V-fupctions: sinpe they are 
| inaccessible and not an intrinsic part of the data absraction._ 

. Al of these operations wilt access oF _eemity the concrete 2 sop that are used to 
. represent the state set of the state machine. We shall denote, the ont bed Rival concrete ob jects 
| by ¢. If a concrete operation implements an O-fancton °, then we view the operation, 
denoted We asa mapping from ¢ x Dy ino €. if ft implements & V-function «,, then, a is 


an mapping from € x ‘Dy into Ry . By doping thn view, we ae mating © 20 explicit 


ie 


parameter of each operation. This may difter iano anal i sce of the implementation 
language but clarifies the gitar of procedures that operate side effects or by 


tees it pha? Veet: 


accessing a ual Aelbpsicen For example, in the Brinch integer 


corresponds to the states of A and COUNT remembered aby the i 2 ingle 


We shall now describe © in more deta, “In gers © a gobs of tage 


collection of 0 ob ets. For esis in the fit integer Jet example of | Chapter 4, 


Hah SLE Tes al 


Cc %4 x Bcount | 
A set such as Bq X Bcoynrt is too large to use as the domain of the abstraction function 


since it usually contains elements that do not correspond to any element of the data 


PCat oe ole a, 
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abstraction being implemented. oo it ts necessary to describe C explicitly. 
The standard way to do this is to use a concrete invariant, I. This is a predicate 
defining some e relationship between the concrete ‘variablis and’ thus placing a constraint on | 
the possible combinations of vahies that they riiay také: ‘Thien, 
Cn (xt In. 
For the finite integer set implementation, 1, is | . 
0. COUNT. rend = 100 1 (V1 piOsiejCOUNT tend -» A.read(i)<A.read(p] 
This predicate states that the implementation of finite _meteger_set contains at most 100 
integers:and that the shennan between 0: and COUNT in the array A are all’ distinct and 
ordered. This latter condition is necessary to insure the correctness of SEARCH. The 
ordered pair 
MOO) € Bax BcQuNT 
satisfies I, above. This ordered pair corresponds to both machines A and COUNT bene in 


their initial states. 
5.2 The Abstract Objects 


The elements of the concrete representation c should implement or represent the 
entire state set of a state machine specification. However, a concrete ob ject seis not 
represent a single state but rather a set of states. This occurs anne certain states may have 
no observable differences. When this happens, we may the states are equigalent. | So, a 
concrete ob ject actually implements the equivalence class of a state and we identify the class 
of abstract:ob jects Al with the set of equivalence classes of the state set. | | 


For example, consider the specification of bounded_stack th Chapter 1. Its state set is 


a subset of [Detach > Retack! X (Dgepth ~ Repth). Now consider the two states 
Sy : (6,{(4,00)) 
and 
Se = ({((1,0) ACA,000) 
Here, ¢ is the null set. The first state S; sacoenia with. the: inieink state of botenctedl_stack, 
so stack is totally undefined and depth returns 0. : (Rial our previous convention that the 
domain of nullary functions is fd The second state Sy conrespernts te stack (3 reumning the 
value | and for x#l, stack(x) is undefined. Aten Sp, depth returns the vate 0. Thus Sp = 
NEXT(NEXT(Q push.) pop) where..Q. is. the. sedtiad, state ot Rounded _stack: These two 
states, S, and So, are equivalent as far..as a user: of the machine.te concerned since stack is 
_ hidden from a user and depth returns 0.in either state, 
Equivalent states are defined below. Intuitively, two states are equivatent wher i Is 
impossible for a user of the specification to determige any a ference between them. 
Definition | 


Two states S; and So of a state machine specification SM are equivalent. 
if for any 


‘S;* = O-Evak...0- _EvaKO-EvaK6, ee Ae Op (ay)? 


So* = O-Eval\...O-EvaKO-EvakS5, oR) 
where 0, is an O-function of SM, ajeD, 9, and n20 


either. mar 
§,° eo = error 
or : i 
both 5 and So* are undefined 
or’ 


V-EvakS,* Vv) = V-EvakSo* wv). 
for any non-derived or derived V-function v of SM. 


This definition guarantees that if a series of O-functions are applied te two equivalent 


States, then two new states are obtained where the non-derived and derived ‘V-functions 
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behave identically. Furthermore by applying a series of O-functions to the two states, we 
make certain that all delayed effects become apparent. We shall denote the equivalence class 
of a state S by csi. | 
For example, for a ‘aie S of finite_integer_set in Chapter 4, CS] simply contains the 
state S. For the initial state Q of hounded. stack. | - 
CQ] = UFL0,0)€ Bpounded_stack! 
where F is a mapping associated with the hidden V-function stack. In other words, QI is 
"the set of all states where depth returns tte value 0.. Note that LQ} is infinite. ‘This occurs | 
since the data abstraction integers used in bounded. stack contains inf initely any elements. 
If bounded_stack used a data abstraction for the integers that had a bound on the number of 
elements (such as the integers used in programming languages), then £Q) and all the other 
Seullvalencs classes of bounded _stack would be finite. Furthermore, bounded. stack’ state ‘set 
~ would be finite. _ 
The equivalence classes of the state wet can be enumerated by — a normal form | 
generation of a state as the representative of each equivalence class. A normal form 
"generation of a state is either Q, the initial state, or generated from Q by only using 
. information adding O-functions. Recall that an information removing O-function deletes 
information that was previously added by an information adding O-function. The same 
effect can be achieved by initially not adding this information. ‘Thus, this representation ts 
valid since every state either equals a normal form genertion or is equivatent cf a normal 
form generation. For example, in finite_integer_set, 7 
NEXT(Q ,insert,D . S 


. is a normal form generation but 


-- 


NEXT(NEXTINEXT(Q. insert, senove)) insert.) 


is not. However, it is equivalent to S. 
5.3 The Homomorphism Property 


‘ It is now possible to state what the correctness of an _tepplementation means. 
Informally, the implementation of a data or is cone when. the operations of the 


Jperenia tion and of its corresponding specication, behave ites “ and there is at feast 


one re ob ject of the meee corresponding | to every ob ect, al the | date abmtragtion. This 
is the usual meaning o of a homemorphien in mathematics Metah & 67). 


"| Sito: 


_ Formally to prove the correctness of an mpte plementation, ene must first define an 


abstraction f unetion A from C onto the equivalence classes of 1%, the state, set of the state 
| “machine being: Implemented A simple and natural way to do this is to first define a 
| function f from C into & (eg. into the normal (etal coi Sal ans 6 toes 
_ function = A(x) - gia a ‘must map one ine aberact Oho jocts Fh, the equivatence classes of 
one-to-one » mapping toes me onto the + equivalence m she ¢ of ee $e, many concrete ob jects 
can represent one abstract ob pet | 
Now, after def ning A, one must show for every ot and O-function @, 
to- EvakKO)0)(x)3 » Eeta,(cx03! 
where xeD,, and for every non-derived or derived V-function « 


V-Evak(C),e(x) = # (Cx) 


1. This is a slight abuse of notation. We assume Cerror’ = error. — 
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where xeDy 
"The above definition assumes that an Implementation of a V-function does not 

modify the concrete representation. ‘If it does, we must ‘add the ‘condition : 
CHOI - Ce sexi., = | 

This could occur in an implementation of finied integer_set where HAS reorders the elements 

of A. Gene ee . i 

We shatlHhustrate these ideas using the example in ae 5. Aas we assume | 

Cc Byx Scounr | ° 


and 


F ineger_set C (Dhas * Rhas! * (Deardinatity * ®cardinatity?- 


First, let (Cy,CoeC. SoC; is sate of the array A'and Cp isa uate of the variable. 


COUNT. It ts helpful to define t the predicate IN(C, Lob, which is true if the integer | is a 
member of the concrete set, as follows: 

IN(C,Coi) © (APLV-EvaKC,A.readp = 1.0 OsjcV-EvaKCgCOUNT.read)). 
| Informally, this predicate is true if there exists an integer J wich that in the state C, of A, 
A.readt j returns i and j is greater than. or equal to zero and jess than the valve returned by 
COUNT. read in state Co of COUNT. Then — 

f<C,.Co>) = | 

(true) | IN(C),Co,i)} U Uifetse) | aIN(C,CoD) ; {(a,V-EvaK(Cy, COUNT. read))) 

Now to establish the correctness of the implementation it is seceiiayy to show that 4 

is onto A. This can be established = showing for every Se that there exists a CeC€ such 
that £f(C) = £S3. Then one must prove that 


1. LO-Evak KC), insert}(x)3 = LHINSERT(C,x)}. 


2. LO-EvaKtC)removel] = EXREMOVE(C)I 
3. V-Evak(C),hasMx) = HAS(Cx) 
4, V-EvakC) cardinality) = CARDINALITY(G.2) 

Consider proving $. Here, it is necmansy fo above thet i an integer x is or is not in 
_ the set, then HAS, respectively, returns tree. Salen... This.penqerty contd. ire shenen by First 
Scone. a lemma stating that SEARCH(x 0,COUNT rend? atwnys returns the index where x 
should appear in the array A. This. lena. wal sen: be. woetal- te eatabinbtat 1. and 2. 
Furthermore, in proving 1. and 2., it would be sqeaqeqagy. to thew that. beth preserve the 


concrete invariant since A’s demain is C. 
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6. An Extended Model for State Machines 


The model of a state machine developed in Chapter 2 does not allow the 
specification of V-functions or O-functions that opens ont two-or more sickens of the data 
- abstraction defined by the machine. In this caper: this restriction is lifted and the model is 
extended to allow the specification of these greater than ai operations, 

To specify greater than unary. operations, the. detiniions of the O-functions and 
V-functions must first be extended.’ O-functions. and derived V-functions will now be | 
allowed to have more than one argument of the data abutractian specified by the machine. 
For example, this allows the definition of an O-function, wnlen, which computes the union 
of two sets, or the definition of a derived V-function, commen clement? which returns true 
or false if two sets have or do not have, respective, any common elements. 

O-functions will still retain their interpretation of changing the state of the joachie 
but now this state change can be dependent on more ‘than one. state. "Derived V-functions 
will also have their previous interpretation expanded. Now, instead of allowing the user 
limited access to only one state, they will permit simultaneous access to more than one ‘state. 

Non-derived V-functions and hidden V-functions will, however, still be restricted 
to their previous interpretation. So, they can only specify acy operations on the data 
abstraction specified by the machine. This conforms to their interpretation as f ully 
characterizing a single state of the machine. | | 

An example of a state machine specification with greater than unary operations is 
given in Figure 17. This is thé specification of an integer set that can contain an arbitrary 


_ number of integers. The specification defines the usual operations insert, remove and Aas as 
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Figure 17. Specification of integer Set 


‘integer_set = state machine ts has, remove, Men: — common_element_? 


has = non-derived | V-tunetiontoatateincger? returns Boolean 
Appl: Conde tree: 
Initial Value: fatve 
end tras 


fi 2 ? = d Vii Pe . ( nei r - 
Appl. Cond.: true 
Derivations comrivon:_element_? ae ol ‘a = 
end common welement_? 


insert = O-functon(s: sme tals iste Sl 
Effects: hase - 
‘end insert 


remove = O-function(s:state,i:integer) — 
Appl. Cond.; true 
end remove i 


union = = O-funetion(s, so:statel 
Apel. Cond.:'true 
Effects: (YIU has'is,) = = basta). Vv. ‘hastog i) 
end union 


end integer_set 


well_as the operations union and common_element_? described above, Union's effects section 
defines the mapping of each non-derived V-function in. the. new. stage that. it creates. Note 
that a for all statement has been added for this purpose. Any. greater than. unary O-function 
must define the mapping associated with every non-derived.or hidden V-function in the 


_few state that it creates so that this new state is fully characterized... 
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We shall now formalize this type of specification by making a few extensions to the 
model in Chapter 2. As in'that chapter, eath machine is modelled by a set of states, where 
each state is modelied. by a set of functions corresponding to the hidden ‘and ‘non-derived 


V-functions; O-functions define transitions between siates. at 
6.1 Extensions to the Basic Components | 
sad V-funotions —__ “ 7 co mie 
6.1.1.1 Non-derived and Hidden V-funetions 


Non-derived and hidden V-function are specif ied as in Figure 18. Note that D is 


Le pee Lat 


now included in the. mapping. eseription, to. Aneiense, thet: the V-function is a unary 
he remdander of the definition 


operation: on the data abstraction ‘defiried ‘by the iniacking 
is defined in the same manner and retains the same. interpretation. as. in Section. oh. Ll of 


Chapter 2. 


min b 


Figure 18. Non-derived or hidden V-function v_ 


Mapping Description: D; DR, 


Applicability. Gongitien: 8 ,: ® xD 5+ Boolean 
Initial Value: initye(D, ~R,) 


So, the sets Dy and: Ry dv the: ¥-function's muppitig description may not contain 


any element of Ene data abstraction bam by the: tadhine. And as before, since the state 


of the machine is characterized by a set of mappings associated with each non-derived and 


uae 


hidden V-function, we view the state set SS as a subset of 
(Dy, + Ry, x - -x1Dy, Ry) D- 
where {vp,.. Vin, y is the set of non-derived and hidden V-~functions of the machine. 


6.1.1.2 Derived V-functions | 


A derived V-function v also retains the three sections in its definition. However, 


these: sections’ s' definitions and meanings are not the s same as in Section 24.12 of Chapter 2. 


Figure 19. Derived V-function v 


Mapping Description: aD. D,: Ry 
Applic abitty Conaition: 8.2" x D, + Bootes: 
Derivation: der v such that (der vgnelD, Ry) for states S° 


_ As before, the derivation section defines a function schema, denoted der v, expressed 
as the composition of the nori-derived and hidden V-functions of the machine and other 
functions associated with the elements of Dy. But, if v is a greater than unary operation, 
der v also specifies the state in which each non-derived or hidden V-function should be 
interpreted. For any states 5", the mapping” asboctatid: with the schema is denoted by 
(der von). “— | 

As an Scanpie consider the derivation section of commwn_slement_? in Figure 17. 
For any two states Sy and So, common_sloment_?-returnis the valde 


(FL hasteyd) A haslty,iD}. 


ay ae 


This value is, of course, dependent on the mappitigs associated with Aas in state S, and has 
in state So. : | : | ae 
Now, for any states 5, the mapping , associated with ger vo is. a member: of 
(D, + Ry) where D, and R, are specified by v's mapping piace itd Thee sets Dy and 
R, can not contain any elements of the data ‘abstraction defined by the machine. — 
Finally, the applicability condition specifies a, partial function %, from. 3" x Dy into 


the Booleans. 


6.1.2 O-functions 


Re 


O-functions too have the meaning and interpretation of the three sections. in their 


definition changed. 


Figure 20. O-function o 


Mapping Description: D®; D 
Applicability Condition: a, > xDo7 Boolean 
Effects Section: tT: D°xD, 7D 


As with derived V-functions, the mapping description now contains > and Dg to 
reflect the O-functions’ extended capability. Furthermore, Dg is constrained so that it 
contains no elements of the data abstraction defined. by the machine. The applicability 
condition and effects section are also extended to reflect the O-functions’ new interpretation. 


The applicability condition of an O-function now defines a partial function W, from 


‘or x Dg into the Booleans. Similarly, the affects section of an Q-function now. defines a 


partial function Z,, from D" x Dg into D. 
as 6.2 The Semantics of a State Machine 
6.2.1 The State Set of » State Machine 


Our purpose in this section is to ‘define 3. Here, we e shall use the same approach 
outlined in Section 2.2.1, taking the transitive-closure of the initial state Q under the state 
transition function. The initial state Q is the tuple (init, rit a): Ensatning the taappings 
. derived from the initial value section of each of the non-derived and hidden V-functions 

 (¥},....Vp_). Furthermore, the next state function has the following definition. 


Definition — 
Let o be an O-function with mapping description 2, Do 


mapping @, in its applicability condition and mapping g: Wr its ‘effects section. 
Let ae D, and ReD". . 
Then, 


Z(Ra) ss af WE {Ra)=true 
NEXT(R,oa) = 


R if M(Rad=falee 


Thus, the state set is generated as follows. | 


ee OTE Se SR oo 


wameneea 


YD QB. 


2 If ois an O-function with magiping description D*; D, and S"« B", 
then if NEXT(S"o,) is defined, NEXT(S’ oa) $B whereacDo, 


3) These are the only elements of 3B. 


Note that in 2) above NEXT(S"oa) may be undefined. As was explained in Chapter 2, this 


_ depends on the partial functions T, and ,. To.guarantee that NEXT is always defined, 


we introduce the notion of a well-defined state machine. 


Definition 
A state machine is well-defined if for any O-function o with. eutnng deactipiie 


_, 9%; Dg and far any S$" 58", NEXT(S*pa).in.de ined where a Dox 
This definition guarantees that in -a- ‘iibatieed hie ‘machine, for every 
O-function 0 with mapping description D"; Dy, &, is a total flunction from SB" x Do, into 


the Booleans and to is a total function from ((S"a)e 3B" x Dy | ‘aan into B. 


6.2.2. The Semantics of. V-funations. and O-functions . 


With this definition of the state set SB of a state machine specif ication, it is possible 
to formally define the meaning of the O-functions and V-functions.. Fhis will be done by 
defining mappings V-Eval for V-functions and O-Eval for O-functions such that 

V-Eval:8" x NV >fA+R) - | a 
and. 


O-Evat:S" x NO 9 [A 3 SS) 


. where NV is the set of V-function names, A is the set of arguments, R is the set of resus 


and NO is the set of O-function names. Note that the domains of V-Eval and O-Eval. 
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have been changed to reflect the extensions made to the V-functiine and:O-functions. 
O-Er wi be di fon gn an oem © wth mapping 
pion Wy tor ah sane O-Eval returns a. 


description D*; Do arid applicabiitty ondt 
elas: ae es : wate | 


“function from Do into SU {error}. Se, uiing wid 
O-EvaitS*o) = ral (s"a) + nikrea ane 


O-EvakS",o) js not necessarily total since either ayste, or NEXTIStoa) can be | 
undefined. However, O-EvalS"o) is always a ‘total function in a well-defined ‘state 
machine. . : The 

For any non-derived or fiidden’ V-tunetion v arid se S, i eeeid will return a 
function from Dy into Ry U (erret). So for any non-derived or tridden Y-function v with 


: applicability condition #1, 
V-Evans,v) » v0.08, (Sia + vite) greet 


Finalty, for a derived V-furietion v with miappihg’ desttigt 


| condition a, and derivation der vy, 
V-Evatts'.v) = aaLtl(s%a) -+ (der ¥gwea) atiue? 


where S"« SS”. ; 2 

Note that the function that V-Eval evaluates to is not necessarily defined over the 
entire set D, since the applicability condition can be undefined or, depending on the type of 
V-function, vg(a) or (der vena) can be undefined when the applicability condition 


evaluates to true. When this is not the case, we say the state machine is consistent. 


Definition 
A state machine is consistent if, 
for every state Se 58 and non-derived or hidden V-{unction_ v, 
 VoEvaks, v) ts a°total function frorn Dy ‘into Ry U terror} 
and if, 
for every derived V-f unction v with mapping description D*, Dy and S"« =", 


V-EvakS",v) isa total. function from: Dy: ime Kyl terror). 


In a consistent state machine, for non-derived and hidden V-functions Ys is always 
a total function from (xeDy 1% y(S,x)) into R, and, for derived V-functions, (der vs" is 


aay a total function from (xeDy 1%, 6st) into Ry. 
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7. Conclusions , st 


The aim of this thesis has been the develo — taf a formal speciation technique 


for data abstractions based’ ¢ on earee ideas, Firs, a general 


shgh F 


state machine specifics ioattost was sdlovdapi “This modet-gave dev effective construction for the 


‘Staite set of a state machine and ner uses the state set to foreatine ne semantics of the . 


copie aye Apnivibaar Mae BES Pa 
V-functions ahd the O-Funetions. Also, the seegaeat of a eie-aatines and of a consistent 
‘ ar 25 noe i wy bd 2) geet) fH 


. state machine were sna iineeak Next this abstract mode was used to formalize the vio ries 


#4 glk se: ope x ek weuigt 


of. a concrete specification language for 9 state ve This language was used to specify a 
number of data abstractions and also to illustrate how to prove a particular state machine is 
well-defined and consistent. Then a proof methodology to use with state machine 
specifications was discussed and iNustrated. . This methodology employed the homomorphism 
property to establish the correctners of an implementation of a state machine specif ication. 
Finally the model for the semantics of a state ‘machine specfication was extended. This new 
model allowed the specification of a greater class of data abstractions than the previous one. 
In this final chapter, the usefulness of the state machine specification technique is 
evaluated and reviewed. This evaluation is then followed by some suggestions for further 


research on state machine specifications. 
7.1 Evaluation 


The state machine specif ication technique is best suited for the ¢ specif ication of data 
abstractions. Its conceptual basis of a group of functions operating on a state set matches 


eile well the notion of a data abstraction where a group of functions operate ona collection | 


for the semantics of a 


SSE oe oe inagimineays 
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of objects. To construct a state machine specification of a data abstraction, one must model 
the objects of the data abstraction using the 'V-functions of the machine. In a sense, this 


corresponds to modelting the ob jects of the data’ abstraction by using infinite arrays. So the 


state machine technique is a variant of the abstract model approach (Berzins 78), [Yonezawa 


77) where one is restricted to modelling ob jects of the data abstraction by using inf inite 
arrays. —_ a | 
In the abstract model approach, the ob jects of a data abstraction are represented in 
terms of other data abstractions with known sidibeities established by formal specif ications 
given in advance. Then the operations of the data abstraction ‘being defined can be 
specified in terms of the operations of the known abstractions selected: as the representation. 
So, a model for the data abstraction is developed. This differs f rom axiomatic specifications 
(Zitles 74), [Goguen 75), [Guttag 75) where the behavior of a data abstraction is given by 
axioms ‘relating its operations. Currently research is being done on both these techniques. 
Since any comparison made paves abstract model and axiomatic specifications will apply to 
state machine specifications, we shall limit the following discussion toa comparison of the 
abstract model and state machine techniques. | act . 
In using the abstract model approach one is free to choose the data abstractions used. 
to represent the specified ob jects. Thus it appears that abstract model specifications would 


be easier to construct than state machine specifications. In fact, one can encounter difficuky 


in using the state machine technique to specify an abstraction whose objects can not be 


modelted well by arrays such as lists or trees. 
Another issue in constructing state machine specif ications is that one usually wishes 


to write a specification that is well-defined and consistent. So it. will be necessary to prove 
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that these two properties hold. ‘Studying the proofs in Appendix 2, it appears, at first glance, 
that the proofs of these two Properties are rather complex. However, while the proofs in 
Appendix 2 may sided be somewhat cumbersome, they are basically quite simple and 
Straight forward. ‘They primarily rely on the deligisions, in Chapter. $, The most “creative” 
step in the proofs was the introduction ot the lemmas. Even here, however, the creativity | 
| involved was minimal. For exampke when I sated work on showing that the specif ication 
‘el queue was well-defined, I did not Even with. the first lemma. It was only when I was 
forced to show that both front and back could be evaluated in any sate that | realized that I 
had to prove this lemma. So, in carrying out the method outlined in Section 2.2.4, I found | 
the extra condition I needed to simplify the proof. This experippce was repeated when I 
attempted to show that V-Evaks, first_element) was total. 

. I feel that in most cases it will be necessary to prove simple jemmas to. help in 
carving out proofs of properties of state machine specifications. However, it appears. that 
, , | steps in the propf will 


these lemmas are usually quite easy to discover and that the agus: 
involve one in time consuming, but not difficult, work, 


difficult. Here not only is it necessary to show that the he mom 


However, it appears that proving, the correy nie 


ntation. will be. more 


property holds but 
This, fatter task is not 


one must also show that the abstraction function is an onto mapping. 


simple. One must first characterize every equivalence clags of the state set and then. show 
that there exists an element of the concrete ob jects that. maps into ts element. 

To prove that some property holds for an, abstract mode} specification of a data 
abstraction, one must show that the property holds in the data abstraction’s, model The 


difficulty of this proof depends on how well chosen the model is. Thus proving that a 
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property holds in a state machine specification can be easier or harder than proving that the 
same property holds in an abstract model specification according to the aptness of the latter 


- specificiation’s model. However proving the correctness of a data abstraction specitie ied 7 


either technique appears fo involve equal difficulty. 
‘7.2 Topics for Further Research 


One area for further research ts to determine the usefulness of the state machine 
~ specification technique: -Specificalty, can state ‘machine specifications be used successfully in 
the design and development of large scale ‘software: systems? “Research that should help 
answer this question ‘s-currently being done at SRI. They have used state machine type 
specifications in the design of a provably secure operating system [Neumann 71 and are 
developing a methodology for the development of software that uses state machine type 
specifications. Their pecimitary results in this area have been encouraging. , | | 

Another research area is the extension of the state snachios specif ication technique’s 
error handling capabilities. At present, when the applicability condition of an O-f unction or 
Vitanedon evaluates to faise, the function returns the special symbol error. Clearly, this 
does not give the user any clue as to what has caused the error. More information should be 
ivan Furthermore, the ieaning of returning an error message has not been discussed. 

The specifications could be extended to allow one re define more descriptive tror 
messages. For example, cardinality in the finite set specification of Chapter 5 could return 
an error message such as "too many elements” when one attempts to add more than 100 
integers to the set. Parnas has noted that more saiceiatioes is needed to describe how his 


specifications handle errors [Parnas 72, 75). 


Another extension to state machine specifications. can be, tine iis the class. of dati 


ve abstrictions Specified. Throughout this thiests, We fine ensisilved teeth ten dak a 
| specified by a state machine are immutable, In an immutable. ~ ra 


behavior of the states in a state machine Speci matR An O-fanietion 36, when aires a state 


. abstraction are constants; 1:6; ir £ 


S and xe Dg; does iiot riiedity S, but fristead returtis a new ‘inst st Furthermore, the 


O-function o is again given S and x inter tna comptitation Pe nn Simitar 


behavior is atso exhibited by & V-fene H0n. ii 


behavior of the ob jects ritay change. An fee oie 


_ccinptaton fate, This on, ofa vi tor “0 son 


ate 
wo. 
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Appendix I - Undecidable Properties of State Machines | 


In this appendix, we shall show that it is impossible to decide algorithmically 
whether or not a state machine, specifed in ALMS, is well-defined or consistent. This is 
established by reducing both. problems to the blank tape ‘halting problem for Turing 
. machines. The blank tape halting problem is the problem of. determining given a particular 

Turing machine T, whether or not T halts when started on blank. tape. This problem is 
undecidable (Hennie 77). 

The definition of a Turing machine used here is given by (Klennie 77). A Turing 
machine consists of an infinitely tong tape coupled to a f inite control unit. The tape, which 
acts as the machine's memory unit, is ruled off into squares. Each square may be inscribed 
with a single symbol from a finite alphabet Z, or it may be blank. The special symbol fis 
used to represent a blank. The control unit can shift the tape back and forth and is able to 
examine one square at any time. | | | 

The control unit is capable of assuming any one of a fixed, finite number of States. 
We shall only consider deterministic Turing machines. So, at any given time, the state of the 
control unit, together with the currently scanned tape. symbol, uniquely determines the 
behavior of the Turing machine. The Turing machine has two actions: it may either halt 

oi carry out a move. Each move consists of writing a symbol ‘on the currently scanned tape 
square, shifting the tape one square to the left or right, and causing the control unit te enter 


ry 


a new state! The action of the Turing machine ts characterized by the successive moves that 


1. The symbol that the Turing machine writes need not differ form the ee that is 
already there and the new state need not differ from the current state. 


occur when, initially, the contro! unit assumes some predesignated surting state and sore 


finite number of the tape squares are inscribed with spribets and the remainder are left 


’ blank. 


: 9 5% 1% | 
where q, is the current state | 

| $, is the syitiol- under the tape head 
s, Is the symbol to be printed on the tape 

_ dc (right , left? Is the direction of the hend’s mowesient 


q, isthe next state 


Each quintuple must have a distinct prefix W5y The Turing mactine tia : rwhen the controt 
ae is ina state q and is scanning a symbol s such that | on is not. the prefix of any 
quintuple. | | | | 
eae So, assume we are given a Turing machine 8 win qutnnoptes 


Fig 8, 8) 9, My, 


45, 
and initial ‘state %,: 
Now, consider the state machine given in Figttra 21. 
For the notation &d), - 
1 if d = right. 
wa) . 


1 ifd= tet 
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Figure 21. Turing_machine_®_1 


Turing_machine_®_} = state machine Is tape, state, head_pos, move 


! 
+ 


state = non-derived V-function( ) retuéns character string 
Appl. Cond.: true ; 
Initial Value: 4, 


end state _ 


head_pos = non-derived V-function ) returns integer 
Appl. Cond.: true 
Initial Value: 0 
end head_pos 


tape = non-derived V-function(i: integer) returns character aring 
Appi. Cond,: true . 
Initial Value: f 
end tape 


well_defined_? = hidden: V-function(.) returna integer 
Appl. Cond.: true 
initial Valve: undefined 
end well_defined_? 


move = O-function( ) 
Appl. Cond.: true. 
Effects: 
If sate* G, A tape(head_pos) = §), then ‘state’. “4, 
if state = “4,4 tape(head_pos) « 5, then ‘head _pos" - head _pos + wa) 
if state = “4, A tape(head_pos) = 5), then iepeaee E> %., 


if state = “4, A apihadgw = 5 then ‘tate’ = = %, 
if state = q, A tape(head: pos) : «3, then *head ‘pos' = head_pos + ud, ) 
if state = a, A tape(head_pos) a5 then. tape’(head_pos) “h 


if ~((state = ‘a, A tapethead_pod) = «5, )v...v (state 4, A tape(head_pos) = 3») 
_ thentape\tiad pos? = well_def ined |? : 


end move 


end Turing_machine MJ 
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Turing _machine_ Wt) simutates WM by having.a state, rete a a SRR APT 8 in as 
computationn 
Now, ieeceie@ias define 
on blarik tape. Assume’ WF hates when started of tail Sa ie, free 
Turing_machine_8_1 corresponding to the final fl in Wis compliiatal: In S, 
| A(state = yA ee Pe. romnesice sommes $)) 


u ee 


eH ICAP oles Mest started 


“48 @ state S of 


ters 
evaluates to true. But, the equation 
_Mapethend_ pon « “ well defined? 


sibracchg Pe sep wee 5 ogee 
ans ‘ 


is undefined since the V-function wett defined 4 rr iw 0 sisal’ a 


Turing_machine_9R_} is not well-defined. wept dave 
Going the other wily; lila mmge sit 3 


only be caused by bond tegas ‘< 


‘ape'thead_pos) = well_defined_? see her 
since the other equations onty use total V-functions, TMM) 
A(state = q, anaseersiosid “f rt i 5) 


ROAM HTAT Oe tlatg 


is sdélatied so 0 must hak, 


p slip 


Now, consider the state machine specication in » Figure 22. Tate state machine is 


not consistent if and onty if m halts when started on blank tape. 


‘otis beet fog gs go 5 


“First, assume 9 halon blank ‘pe. Than amet we & for:which 
nAstate » -a4 A tallied pio a's) 10 DAvenie. <i ‘aphid pos) =3)) 


aia) = S* ins ‘sale evans to tre 20 the 


evaluates to: tre... _Génsiger 9 Evak6m 
V-function consistent_? is not total. By reversing this sryemen, it ts seal ‘that if 


xt . 


a RM_2 is not consistent, ba has on bienk ~~ 


eo ce 
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Figure 22. Turing_machine_®_2 


Turing_machine_M_2 = state machine is tape, state, consistent_?, head_pos, move 


state = non-derived V-function( ) returns character string 
Appl. Cond.: true . 
initial Value: 4%, 


end state 


head_pos = non-derived V-function( ) returns integer 
Appi. Cond.: true 
Initial Vatue: 0 
end nead_pos ‘ 


tape = non-derived V-functionii Ameger! returns character string 
Appl. Cond.: true 
Initial Value: fi 
end tape 


consistent_? = non-derived V-function( ) returns integer 
Appl. Cond.: switch , 
initial Value: undefined 
end consistent_? 


switch = hidden V-function( ) returns Boolean 
Appi. Cond.: true 
Initial Value: faise 
end switch 


“fove = O-funetion ) 
Appl. Cond.: true 
Effects: 
Hf nate <q, A tapethead_pos) = 5, then ‘state’ “% 
If state = 4,” tapethend_pos) “4, then “heed pes Weed pei ¢ a, ) 


daa A tapethesd pos ae 


Hf state = @ SL iasceaccle' ven tae = 

| t tae nq anes 
i sate = qn tapettvend poe) = 1, abil ahd 
Ht tints =, peacarasst tei ay ts ‘ 0 repel ben p 


end Turing_machine__2 pa i bes ; ag . 
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' Appendix II - Proofs 


This appendix contains the proofs of the lemmas ‘and the apices in Section 3.3 of 
Chapter 3. We shalt ike show that the specification is b well-defined. This will be done by 
initially proving. a lemma that captures the key. properties necessary to insure that the 
machine is well-defined. Then, with the aid 1 of th termina, we ‘wit a establish that the 
specification is well-defined. a ch, | 

First, some notational details must be handied. We shall denote the initial state of 


queue by Q., its state set by SB and aise. 


s Cc (Drtorage > Masad xD pack ~» » Rect) x Pine ad Reront!- 


Lemma For any Se, ae ieee and, try * hanson and 
backs agen front, where @ is the null set. 


Proof by induction: 


Basis: By definition, 
| bea OF and ae (a=. 


Inductive step: Assume for all. 

S = NEXT(.. NEXTINEXTIQ, opAidg peat 1p. 
where aj¢Dg., naz and oy Linsert.datete) that:backg<{t)) ss ingeger) and 
frontge[{A} + integer] and backs # a frontg, | We nymt-show for all 

S* = NEXT(S,0,x)« SB 
where xeD,, and we (insertdefete} that backgeel{A} — and fronts tt) + integer) 
and backge on Ems: 


Case 1: backs - 
Case la: @ = insert 
Then S° = NEXTC(S , insert , x). 
‘ Since gS , true , insert ,.x) = true, 
- TEs , insert , x , ‘storage'(back - I) =i, "back = » back - D | 
« Eis , insert , x , ‘woragetback - Ds 1), insert, x, ‘back’ = back - D 
= S 
Since S°¢ 3B, S; is defined and, hence ; 
So = = E(s , insert , x , 'storage'(back - » =i) is defined. 
Then S* = Et, , insert, x, "back’ = back-D 
= (storages, » €A, plS, , back - 1, insert , x) , fronts). 
= (storages, » {A , Sp F-back. 2 rqrts,) 
= inorages, {A , backs, -D), fronts, ) 
Now backs, = baths and so by. ee “indtetive hypothesis, 
itisa acpes of [{A} + integer) - io 
Thus, backs s€({A} - integer] - to). 
Case Ib: w = delete 
Since S° = NEXT(S , delete , A) is by assumption defined, there are two 
cases relating to a(S , ~(front'= back - 1), delete.) . . 
Case Ib]: gs(S, front = back - 1D) , delete A) = false. . 
Then S° = S and by-the inductive hypothesis, 
backgel{A} + integer) - (}. 
Case Ib2: gs(S , front = back - P, defete , A) = true. 
Then S* = TE(S , delete, 2, ‘front’ = front - 1). 
So backs = backs» which, by the inductive hypothesis, 
is a member of (03> integer? - (9). 


Case 2: frontse 
Case 2a: @ = insert 
Here, S* = TE(s , insert , x, 'storage'(back - D =i, ea back - 1). 
So, frontge = Frontgel{a) ~» integer) - (@) by the inductive hypothesis. 


‘Case 2b: @ = delete 


Case 2bi: a(S , -Afront = batk’= D , delete , A) = false. 


Then S° = S and by the inductive ‘hypothesis, 
frontgel{A) + integer] - (). 


Case 2b2: a(S , ~Afront = back - Dd, delete A) = true. 


Then s* = TE(s, delete, 2, front’ = front - 1D) 
- Es, delete , 0 , ‘front’ 7 front - D 


= (storages ‘ backs. 0 ’ HS, front - 1, delete am 


(storages , backs , fa, SF front - ») 
= (storages , backs , fa, front - -b) 


: By the inductive hypothesis, fromtgeCtad - ~ integer) - ws so 


Frontgee((A) cad Integer) - (9). 


We can now prove that the machine is well-defined using the above lemma. Three 


properties must be established: i) the e applicability conditions of the O-functions insert and 


delete are defined; ii} the next state function is defined for ‘both insert and delete; and, 


Finally, il) the ordering of the equations in both, insert's and delet’ effects secttions is 


/ 


immaterial. Note that ili) is trivially established: singe delete-has only one equation in its 


effects section and the two equations in insert’s effects section modify different V-functions. 


-» Thus, it is only necessary to deal with i) and i). We now complete the proof. 


Case I: The Applicability Condition 
; Case la: Insert’s Applicability Condition 
a(S , true, insert , x) = S p true 
= true 
“Case Ib: Delete's Applicability Condition 
a(S , “front = pack - 1), delete, a) = § F “Afront = back - D 
. = oAfrontg = backs ~ D 
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By the lemma, both fronts and backg are members of ((A}--». integer] - (@} 
so «(frontg = backs - 1) is defined. _ 


Case 2: The Next State Function 
Case 2a: NEXT(S , insert , x) 
By Case 1a, ga(S , true , insert’, x)= true 
So, 
NEXT(S , insert , x) = TEs , insert , x , ‘storage'(back - 1) = i, "back’ = back - 
= EEis , insert, x , 'storage(back - 1) =) , insert , x , back’ = back - 1D) 
Now, , 
Es , insert , x, 'storage'(back - 1) = i) 
= (Ax.L(x = ga(S,back-Linsert,x)) + ya(S J,insert,x) storages(x) backs fronts) 
= AKUXx = ae -D>x, + orages (OI backs , fronts) 
=S° 
Note that backs is defined by the lemma so S° is defined. 
Now, 
E.s°, insert , x , 'back’ = back - 1) 
= (storagege , {(A , ga(S°, back - 1, insert , x))} , fronts) 
= (storagegs , (A , backgs - I}, fronts) 
= (storagess , (A , bathe - DF, fronty) 
By the lemma, backg is defined and hence NEXTIS , insert , x) is defined. 
Case 2b: NEXT(S , delete , A) ; 
Case 2bi: y(S , (front = back ~ 1), delete, A) = false 
Then NEXTA(S , delete , A) = S. ; 
Case 2b2: ga(S , (front = back - 1), delete , ) - true 
Then NEXT(S , delete , a) = TE(S , detete , 0, ‘front’ » front - 1) 
~ Ets , detete 0, ‘front’ = front - 1) 
= (storages , backs » {a, nS, front - 1, delete, am 
= (storages , backs , w, S * Front - 0») 
= (storages , backs , (a, f ronts - py) 
So by the lemma, NEXTI(S , delete , A) is defined. tj 


-97 - 


We will now show that the specification is consistent. This involves proving that 


the four V-functions are total. For front and back note that 


DD. back 


V-EvakS , back) = Aalp(S , true , back; x) > baci , error) 
= Aaltrue ~ backs , error) 
= Aa.backs 


2) front 


V-EvakS , front) = ralwts , true , front , a). . Fronts . error] 
= A\altrue ~ Fronts . error) 
“mda. fronts 


By the lemma, both backs and fronts are defined. 


To see that both V-EvaXS , storage) and V-EvatS , first.element) are total, we 
must again introduce a lemma and then prove the desired results directly from the lemma. 


The lemma describes the domain of storage. - 


Lemma 
For any SeS, if fronts > k 2 backg, then storagec(k) is defined. 


Basis: Since front » ({A,-1) and back) = ((A,0), thre:temma'trivtally follows. 


Inductive step: Assume for all . 

S = NEXT(..NEXT(NEXT(Q, Opa) 0A ep 14n-Dt 3 
where aje Do, n22 and Sis insert ders) that if bates zr2ke2 backs, then storages(k) is 
defined. We must show for all i 

S* = NEXT(S,0,x)¢ 8 | 
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where xeDg and we {insert delete) that. if. fromtige a:b 2 Bathgs, shun sarageye(hi is defined. 


Sg ad 2, 


Case 1: = insert 
Note xe Dinsert: 
Case la: frontgs = backge 
Then storages (fronts) evatdates to x 
due to the equations ’ storage tack. ~D =-4 and Deck! « bud L . 
Case lb: fronts. # back. 
Then frontge > backge ane 
and frontgs = frofits and backge = backs - 1. 
So for frontce 2 k > backge + 1, storagegetk) 
is defined by the inductive hypothesis. 
Also, storages backs.) evaluates to x 
dué to the équations ‘storage'tback - ~ i. 1 and ect + butt - 1. 


oT _ 
Since frofites «= front, - land backgs 3 backs, 


for froptge 2k 2 backgs _——* 
is defined by the inductive hypothesis. 


To see that V-EvaX , storage) is total, note that 


_ -V-Evats , storage) = Aalp(S , frontzizback , Storage , ay) +» sorages(a) , error) 


The desired, result . immediately. ae ee Fo: eee that 


v- Evatts , first_element) is total, note that for any Se B 


V- ‘Evaks , first. _element) rte 
e Nalge(S,-(fronit = back - D,first _element A) -+ wtS storagelt romp eq element 
= Aalfronts = backs - 1) + storageg(fronts) , ggror] 
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If (fronts = backs - D is false, then 

V-EvaKS , first_element) = Aa.error. 
Otherwise, 

V-Evak(S , first_element) = Aa.storagec(f rontg) 
Now fronts > backg so, by the lemma, storageg(frontg) is 


defined. Thus, we conclude V-Eval(S , first_element) is total. 
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